Update on Secunia Advisory SA38608

Lucas Adamski


Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue.  The vulnerability was determined to be critical and could result in remote code execution by an attacker.  The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.  Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue.  As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience.  Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:  https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

Update: To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. People testing “3.7” development builds should upgrade to 3.7 alpha 3 or the latest nightly build to ensure they have this fix.

40 responses

  1. Bertrand wrote on :

    Firefox 3.6 sucks anyway: e.g. lots of buggy behavior, new tabs are opened in an unpredictable fashion, and there’s nothing better about 3.6 over 3.5. It doesn’t surprise me that there’s a critical vulnerability that was introduced in the 3.6 branch. I already reverted to the 3.5 branch weeks ago.

  2. Alhazred wrote on :

    I think what you have to do is put yourself in the devs shoes. All sorts of people make all sorts of claims about exploits all the time. What do they do, go around buying every ‘exploit’ that Tom, Dick, and Harry claim to have every week? Its simply not reasonable to expect this and it wouldn’t even make sense. Now, they might be able to pay someone for information sometimes, but its going to have to be solidly credible before that happens. Beyond that no organization can possibly be aware of everything floating around in the world, it still has to come through some channel.

    Thus it seems like what the devs said was exactly what the reality is, they can’t do squat about Internet rumors and claims of vulnerabilities. They can only work on fixing actual documented vulnerabilities that have been verified to exist where they have the information in hand. Period.

    Beyond that there are a lot of reasons why its not a great idea to run around buying exploits. Who’s hands are you putting this money in and what are they doing with it? It sounds great in theory but in practice it probably isn’t all that great an idea. At best it has to be looked into on a case-by-case basis, and again that means every random guy that claims to have an ‘exploit’ to sell can’t even be looked into and still have time to do any real work.

  3. catilley1092 wrote on :

    Look, at least Mozilla is advancing their browser every couple or so months. Look at the competition (IE8), they have all kinds of problems, where’s IE9 at? It’s fine for a billionaire corporation not to upgrade, but when Mozilla, a corporation that operates largely on donations and staffed by a lot of volunteers, misses something, people cry bloody murder. I remember when Firefox was an absolute RAM hog, but has came a long way from that. IE8 was released around a year ago, it’s still the same piece of crap it was when released. An open door to viruses and malware.

  4. Concerned User wrote on :

    @ all Mozilla guys in this thread:):

    Yes, I do understand that it is very difficult for the devs.

    However, please note that Secunia is a trusted organization and their attitude was worse:(….

    They simply gave a “CAT 4 rating” without any proof and after 4 weeks, the vulnerability was finally released:)….

    Some of us received no proper replies at the Secunia forum and now they’ve tried to justify themselves in a new blog post:):


    In the future, if such a situation were to occur, an e-mail to Secunia for Mozilla for further clarifications would not hurt, would it?

    The fact that (any) software company/entity/organization can be taken “hostage” by the words of a professional hacker is a very scary thought!

    Concerned User

  5. Lawrence wrote on :

    Please, its like I am already a victim. I my Firefox browser no longer opens,I keep getting the message ” Firefox has stopped working. What do I do?

    1. Daniel Veditz wrote on :

      @Lawrence: Contact the folks at http://support.mozilla.com/ for help — there could be a lot of different reasons for your symptoms. Most likely you incompatible software installed (which might include malware) and they’ll be able to help you narrow it down and resolve the issue.

  6. whatever wrote on :

    Mozilla could maybe speed up the release of 3.6.2 now?!
    What happened to 3.6.1 by the way?

    1. Daniel Veditz wrote on :

      “3.6.1” corresponded with the release of Firefox Mobile 1.0 (“Fennec”). Because there were no security fixes we skipped a desktop update. Those fixes will be rolled into the 3.6.2 release.

  7. Daniel Veditz wrote on :

    @Concerned User:

    > The very least they (Mozilla) could have done was to contact
    > Secunia in the first place

    Of course we did! They told us the reporter had a good track record (and they were right) but that didn’t help us figure out what needed fixing.

  8. Concerned User wrote on :

    @ Daniel: Many thanks for responding patiently to all my questions!

    Secunia could have posted something like this in their advisory:

    “We’ve also received an e-mail from the Mozilla team. Currently, there is no information available about this exploit.

    We’ll update our users when we have more information available.”

  9. Robert Carnegie wrote on :

    @18 A hypothetical researcher who demands money for supplying the exploit details to the software publisher versus supplying details to the world’s hackers would be, if they took the latter course, guilty in respect of all the hacking subsequently done using the data. And a respectable researcher has a known business or home address. So someone who tries to blackmail with an exploit is taking a considerable risk. Then again, making a deal with established professional Internet criminals is a risk, too.

    If I’m correctly reading http://www.theregister.co.uk/2010/03/12/ie_metasploit_0day_flaw/ (yeah, I know) it’s a case where non-criminal researchers became aware of one defect in Microsoft Internet Explorer because the bad guys found it and used it first. Or maybe one grey-hat researcher somewhere found it and decided to cash in on this one, then the exploits, then other researchers analyzed the exploits…

  10. Norman Burns wrote on :

    Does NoScript close this vulnerability?

    If earlier versions are not affected, could Mozilla offer a rollback feature in a future release so we could return to an unaffected version, if a similar situation should ever arise?

  11. David Dows wrote on :

    When in doubt, the simplest temporary (if not permanent) workaround is to protect yourself via SandBoxie, DropMyRights, or any other method that keeps the potential exploit from gaining Admin access.

    I do that all the time, except when I’m trying to make modifications to FF or TB that require admin access themselves. When I’m done with those changes, I close it and open FF or TB with restrictions in place.

    99% of the time, the limited rights allow me to browse in the same manner as I would with Admin rights. I also use NoScript and only allow whatever is necessary for my browsing.

    What’s the BFD?

  12. Nhs wrote on :

    Does this vulnerability affect only Windows based pcs or also those with linux?

  13. security war wrote on :

    firefox the best browser

    and they fix all quickly no one worry

  14. Daniel Veditz wrote on :

    @Norman Burns: yes, NoScript can help:

    @Nhs: The vulnerability (flaw in Firefox) exists on all platforms. We haven’t seen any exploits (attacks) in the wild but I believe the VulnDisco pack from the reporter contained only a windows-based exploit.

  15. Natanael L wrote on :

    @32, Norman:
    I’d love a “QuickPatch” addon (or something like it) that would allow instant security fixes for exploits (it would allow rough fixes like disabling a certain feature completely until patched).

  16. Tomawoz wrote on :

    Several posters above have complained that Mozilla did not contact Secunia about this problem. It seems to me that if Secunia discovered and documented a problem with Firefox, that Secunia had an immediate obligation to provide all relevant information to the Firefox developers. To leave it up to Mozilla to take the initiative on this is totally irresponsible.

  17. happf_FF_user wrote on :

    I’ve just found the 3.6.2 update (German FF) and only want to say DANKESCHÖN.

  18. Dave wrote on :

    Does not install for me says there are other copies of firefox running!!

More comments: 1 2