First critical security hole in Firefox 3
Firefox 3 is not off to a good start. Only five hours after being officially released on June 17, the Zero Day Initiative (ZDI) reported the discovery of a critical security flaw in the latest Mozilla Foundation browser. ZDI says that the flaw has been verified in the lab. Attackers can reportedly inject malicious code into a PC by means of a crafted web site, and launch the code with the user's rights. The flaw apparently also affects Firefox 2.
No additional information will be published until the Firefox developers have produced an update. The Zero Day Initiative, launched by 3Com and TippingPoint, strictly adheres to the policy of Responsible Disclosure – only publishing details about security flaws when an update has already been made available to remedy the situation. It is not clear whether the flaw is currently being exploited.
The problem first became public in a Firefox entry at ZDI's list of "Upcoming Advisories". This list provides an overview of all of the flaws that have already been reported to vendors but not yet been patched. At present, all major vendors have multiple entries in the list, and most of the flaws are considered critical. One of them seems to be particularly severe – Microsoft has known about a critical hole for 644 days and has yet to produce a patch.
- Mozilla Firefox 3.0 Vulnerability, ZDI report