Update on Secunia Advisory SA38608

Lucas Adamski


Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue.  The vulnerability was determined to be critical and could result in remote code execution by an attacker.  The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.  Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue.  As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience.  Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:  https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

Update: To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. People testing “3.7” development builds should upgrade to 3.7 alpha 3 or the latest nightly build to ensure they have this fix.

40 responses

  1. Concerned User wrote on :

    Wonder why the guy took a sudden “u” turn and released the exploit code! Anyways, it is good that he has released the exploit and Mozilla is releasing the patch along 3.6.2.

    Just a small concern: How exactly would this work? Does this require user interaction i.e. someone clicks on some link, jpeg, something like that?

    I’m currently using 3.6 and don’t want to use the beta. Would love to upgrade directly. Therefore, I’m a little concerned:). Thanks!

  2. emv x man wrote on :

    Are there any known issues with the 3.6.2 candidate that we should consider before going Beta?

  3. Lucas Adamski wrote on :

    This Beta is the Release Candidate build, so it should be identical to the final build of 3.6.2 that we will be shipping shortly. You should feel completely comfortable using it.

    The exploit itself does not require user interaction.

  4. freddy wrote on :

    what’s about firefox 3.5.8 ?

  5. Jesse Ruderman wrote on :

    Firefox 3.5.x is not affected by this security hole.

  6. Julia wrote on :

    I’m sorry, is firefox 3.0.18 affected by this security hole?

  7. Daniel Veditz wrote on :

    Neither is 3.0.x — only Firefox 3.6 is affected.

  8. Cat wrote on :

    Daniel Veditz – thanks heaps for confirming that other versions of FF are safe from this vulnerability. I’m relieved. I had read a report somewhere that said it “may” affect other versions yet The Register and the Mozilla blog here only mentioned 3.6.

    I take it then there will be no update for version 3.5.8 at the end of March, or are some other FF issues being fixed with this particular security patch at the same time that affect other versions too?

  9. Concerned User wrote on :

    @ Mozilla: Maybe, just maybe this could have been handled in a much more professional manner?

    Initially there were denials from Mozilla’s side. Now all of a sudden, they admit it!

  10. devpreview user wrote on :

    what about firefox 3.7 devpreviews, i have been using alpha2 and now alpha3 for a while.



    Built from http://hg.mozilla.org/mozilla-central/rev/148b45c740fa
    Build platform

    Build tools
    Compiler Version Compiler flags
    cl 14.00.50727.762 -TC -nologo -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
    cl 14.00.50727.762 -GR- -TP -nologo -Zc:wchar_t- -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1

    Configure arguments
    –enable-application=browser –enable-update-channel=beta –enable-update-packaging –enable-jemalloc –enable-tests –with-branding=browser/branding/unofficial


    am i affected? running it on win32. thanks for hints.

    does the 3.7 codebase (internals/core ?) still contain the bug as opposed to the 3.6 internals/core?


  11. XtC4UaLL wrote on :

    @Concerned User: there were no denials.
    Mozilla Devs can only fix reported issues and unless somebody reports the issue, there’s not much the Devs can do about it besides saying, that they don’t know about the issue. and that is no denial.

    rather the persons finding an issue (esp. on security related issues) should step fordward responsibly and report it (without delay!), so that the fixing process can start.

  12. graham wellbone wrote on :

    what about other mozilla derived products and subprojects, such as current thunderbird 3.x line? which if any are affected there? and what about thunderbird 2.0.0.x line?

    also important to us mozilla stuff users: what about seamonkey project? seamonkey 1.x affected? newer current seamonkey 2.0.x affected? 2.x affected?

    also: what about most current firefox 3.7alpha lines? which alpha is still affected and which is already fixed if any? is the 3.7line in general affected as well?

    please be more specific.

    thank you for your cooperations.
    best regards and hail to the planetary rulers.

  13. Ilja Sekler wrote on :

    At a guess: does setting gfx.downloadable_fonts.enabled to ‘false’ work around the issue before a fixed build is officially shipped?

  14. emv x man wrote on :

    Thank you.

  15. cubefox wrote on :

    Why took it 4(!) weeks to tackle this zero day exploit? Why Mozilla didn’t simply buy the exploit software as secunia did? Too little money?

    I cannot believe this behaviour… :(

  16. Happy Firefox User wrote on :

    Why should Mozilla buy it? How much should they pay? What if the next person wants twice that much? And then the next wants twice that… I applaud Mozilla for standing their ground and refusing to be extorted.

    Why didn’t you / Secunia / some other kind person buy it for Mozilla instead?

  17. H wrote on :

    @cubefox – paying people to give you details on vulnerabilities leads to people demanding more money over time.

  18. Concerned User wrote on :

    @ XtC4UaLL: Initially there was a huge confusion. A reputed company like Secunia gave a “CAT 4” rating to this vulnerability about 4 weeks ago. Many users like me were confused. Did this vulnerability exist or not?

    Mozilla’s statement was not clear:

    Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce.

    The very least they (Mozilla) could have done was to contact Secunia in the first place and ask them on what basis they could have rated this vulnerability.

    Let me ask a simple question: If the hacker had said “I’m not going to release this vulnerability. You’ll have to pay up. End of story”, how would Mozilla have responded?

    Now let us assume that the hacker “sells” this vulnerability to interested parties and they end up with a few banking passwords, e-mail passwords, malware infections etc…..24-25% of the “alleged browser market” is not such a bad target!

    By this time, someone does realize how this flaw works and a patch is released. It would be too late and there goes the years of hard work put in by the Mozilla foundation…. :(

    Don’t get me wrong. Firefox is a great product and I still use it. But the Mozilla team needs to interact a lot more with their users at a time like this.

    “Mozilla Devs can only fix reported issues and unless somebody reports the issue, there’s not much the Devs can do about it besides saying, that they don’t know about the issue. and that is no denial.”

    Hmmmm….One question: If something like this were to happen in the future, would Mozilla be willing to pay to know about the vulnerability? Just asking :)

  19. Marc wrote on :

    @Concerned User: I would hope that – in the scenario you provided – they would NOT pay for it. Once that is proven to work, you’ll give everyone who claims an exploit (real or not) free license to extort money from the Mozilla Foundation.

  20. Anon wrote on :

    Does ProPolice protect against this vulnerability?

More comments:1 2