Security hole fixed in Firefox 3.6
A fix is now available for a security hole that was discovered in Firefox 3.6 under Windows in early February. According to Mozilla's blog, the fix will be included in version 3.6.2, which is scheduled for release on the 30th of March. Those who don't want to wait can install the current beta of this version.
The exploit allows remote attackers to take control of a PC. Secunia's advisories rate the problem as highly critical, while the German BürgerCERT recommends using a different browser until the problem has been fixed.
The security hole became apparent when Russian security firm Intevydis provided their customers with a Windows exploit for the hole. Intevydis sell their knowledge and don't freely share the details of security holes they discover with the developers of the affected products. This explains why it has taken so long to fix the Firefox problem. Evgeny Legerov, who discovered the hole, had initially bragged about his discovery without mentioning any details, although he did contact the Mozilla developers later on.
- Firefox 3.0 approaches end-of-life, a report from The H.
- Mozilla officially releases Firefox 3.6, a report from The H.