Code execution vulnerability found in Firefox 3.0

Just 5 hours after the official release of the latest refresh of Mozilla's flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts all Firefox 3.0 users at risk of PC takeover attacks.

According to a note from TippingPoint's Zero Day Initiative (ZDI) , a company that buys exclusive rights to software vulnerability data, the Firefox 3.0 bugalso affects earlier versions of Firefox 2.0x.

Technical details are being kept under wraps until Mozilla's security team ships a patch.

According to ZDI's alert, it should be considered a high-severity risk:
"Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker".

Report a problem with article
Previous Story

Will the newest iPhone turn you into a jerk?

Next Story

'Sensing' more about what's coming in Windows 7

9 Comments

Commenting is disabled on this article.

Someone who sells a critical code execution vulnerability is not a researcher in my book but a cracker out for personal monetary gain. Researchers submit their findings without expecting payment.

Presumably this bottom feeding company also considers that the code it buys becomes its property and as such is covered by copyright etc. I'd like to see a lawsuit to destroy this company because it can be considered extortion to withhold critical information until monetary remuneration for something that can cause data loss / theft in an arbitrary fashion to a potentially unlimited amount of people.

I'll bet they wouldn't try this crap with Microsoft, should they have some exploit for IE...

"Researchers submit their findings without expecting payment."

Yeah because the Fairy People come at night and leave food and rent money for the Researchers to survive.
That "bottom feeding company" you're talking about pays people to hand them the vulnerability info as encouragement to not release it to less noble users.
As was said in the article, they are keeping it private until a fix is released.

What's the deal with you Firefox fanbois? Too bad there isn't a Brain extension you can just download and install.

WTH,
How can this story be below the story about Firefox3 just having been released?

What a fine piece we have here!!
Man, I just wish this browser would die so all the fan boys would get off their trip! :redface:

What are you talking about? This story was posted an hour ago. Firefox 3 was released about a day and three quarters ago.
The article about FF3 above this one is a review, not a release announcement!

Also why do you want Firefox 3 to die? It's the best browser. It's gaining share from Microsoft, not dieing.

(TCLN Ryster said @ #2.1)
What are you talking about? This story was posted an hour ago. Firefox 3 was released about a day and three quarters ago.
The article about FF3 above this one is a review, not a release announcement!

Also why do you want Firefox 3 to die? It's the best browser. It's gaining share from Microsoft, not dieing.


"The best browser" is a matter of opinion, I'm sure the people over at Opera would like to have a word with you.

(GP007 said @ #2.2)


"The best browser" is a matter of opinion, I'm sure the people over at Opera would like to have a word with you.


In deed, I should have made it clear that was just my opinion

I highly doubt they "just happened" by chance to find this just hours after release.

I think it's more likely that they knew of it and waited till release to announce it, which is irresponsible. Why didn't they report the bug to Mozilla before it went final and millions of people downloaded it.

(TCLN Ryster said @ #1)
I highly doubt they "just happened" by chance to find this just hours after release.

I think it's more likely that they knew of it and waited till release to announce it, which is irresponsible. Why didn't they report the bug to Mozilla before it went final and millions of people downloaded it.

Good point, I was sceptical when I read it, I wonder whether this company who no one has heard of until now, use this as a marketing ploy to drum up business.

Pathetic businesses, they're almost as bad as elos and theit patent suit against Microsoft.