Firefox 3 suffers its first vulnerability

Less than one day after its launch, Firefox 3 has a vulnerability.

According to Tipping Point's Zero Day Initiative, the vulnerability, which it rates as critical, was reported within the first five hours of Firefox 3's release.

"Once the vulnerability was verified in TippingPoint's DVLabs and acquired from the researcher, the vulnerability was promptly reported to the Mozilla security team," said a representative.

Although the Zero Day Initiative team does not offer specifics until the vendor has a chance to patch it, the blog post did say this vulnerability, which also affects Firefox 2, requires user interaction and could result in an attacker executing arbitrary code.

Mozilla is reported to be working on a fix.

The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.

[CSharpZealot]

That's hillariously ironic seeing as i just saw an interview with the design director (believe that was his title) from Firefox in regards to the download record they're trying to set..

in the interview the *** mentioned that FF was the most secure browser and they've fixed 15000 issues ..yada yada yada..since this is the same security flaw that's exploitable in FF2, how come it wasn't addressed in the list of fixes?

shame on you!

[Lerianis]

They might not have known that this security flaw existed... can't blame them for that, considering that Google and Microsoft have had problems that went through IE 1 all the way to IE7.

[cnetcensorssuck]

It wasn't "addressed" in the list of fixes, Einstein, because they didn't know it existed until just now.

[Lerianis]

Not surprised by this. Firefox is meant to be more secure than IE, but there is absolutely NO way that they could anticipate all the ways that someone could infect a system or exploit their software. Though, if this requires 'User interaction'..... I wouldn't mark this as critical, unless it means that you just have to click on a link and BOOM! You're infected by malware/spyware.

[CSharpZealot]

"meant to be more secure" i believe that's the key parts here...5hrs in and an exploit pops up that's marked as critical...since no details has been released on the exploit/vulnerability it's hard to judge. but it's the same which works on FF2..with that many fixes shouldn't security have been a top priority if FF still wants to regain the mark "most secure browser" again? this is not a good sign..maybe they all focused on the shiny experience rather than the cogs in the wheel?

don't know for sure Lerianis, but a critical vulnerability is not a good start 5hrs in and with 14000 downloads per minute that's an awful lot of people getting software down with flaws in it..see the fire spread :)

[pjhenry1216]

@CSharpZealot: It's most likely a very obscure fault because it's existed for such a long time and just happens to be found now (what a coincidence... if they had reported this flaw last week, probably wouldn't get a headline... but today? you betcha). Internet Explorer, Opera, Safari all have vulnerabilities. Statistically speaking this says absolutely nothing about whether its safer than other browsers or not. Though, statistically, its track record does. You're picking apart something that really is meaningless to the big picture. Every browser that comes out *will* have vulnerabilities. When they're found is meaningless. In fact, it may be better with firefox because everyone can see the code and therefore can find the flaws more quickly because they know whats going on due to transparency. To me, it just sounds like someone sounds like a sore loser in the browser world. Firefox isn't the be all end all and it may not suit everyone's needs, but its one hell of a damn good web browser.

[pjhenry1216]

I find it somewhat coincidental that they never found this flaw which also existed in firefox 2 until the day firefox 3 launches. I would not be the least bit surprised if they sat on the bug until firefox 3 came out to see if it still existed and then sent out their little memo just to get headlines.

[Lerianis]

Oh, how little faith you have in these people..... though to be honest, I think that is what it was as well.... they sat on this flaw until Firefox 3 came out, then say "Hey, look! Here's the first Firefox 3 vulnerablity.... not 5 hours after it was released!"

[groink_hi]

As long as the vulnerability is also in version 2.x. The title of the article made it sound like the vulnerability was added to 3.0, rather than being inherited from an earlier version.

[groink_hi]

As long as the vulnerability is also in version 2.x. The title of the article made it sound like the vulnerability was added to 3.0, rather than being inherited from an earlier version.

[NewsReader_]

Wow. There are now 8 million+ potential victims out there.

It does not matter if the vulnerability was already there. If Firefox 3 is so much better, why didn't it get fixed.

How embarrassing.

[cnetcensorssuck]

Are you really that naive? Do you really think there's such a thing as a browser (or any other significant piece of software for that matter) that doesn't have any yet to be discovered flaws? Every single browser, from Opera to Safari to Internet Explorer, et al has them. Most of them will never even be discovered.

[gggg sssss]

ROTFLMAO while typing this in IE&

[drhowarddrfine]

ROTFLMAO at the Windows users making comments above who have more than 3x the vulnerabilities of any other browser.

[WhuzYoDaddy]

Um, yeah. Source for your "numbers"?

[ferretboy88]

Who cares if they pay people to find attacks.

[Kwasiowusu]

Very funny. What delicious irony. The much vaunted "super secure" Firefix suffers from a security vulnerability that existed in Firefox 2 in les than 24 hours after launch. What a joke! If new version of IE had such a big and obvious security hole within a day of launching, the open source crazies would be all over this board, insanely screaming about how open source is "inherently more score", and how "Microsoft sucks". I can barely control my luaghter. LMAO!

[The_Decider]

People are laughing at you using the most bug ridden, flawed browser ever. If you think this somehow make IE better, you are more dumb then your post makes you out to be. FF would need about 10,000 flaws and about 100,000 exploits before you can claim IE is safer.

[Lerianis]

Actually, IE8 and Firefox are pretty even in terms of vulnerabilities. The only reason why IE ones are more critical, is because IE is integrated in lockset up Windows Explorer, which is a BAAAAAD idea to do with ANY browser.

[adasha76]

Isn't it kind of sad that you're feeling threatened by a piece of software? Either that or you have a very low humour threshold if you can 'barely control' your laughter - you should probably get out more.

[real_bgiel]

Take a class in spelling when you get a chance.

[Tbird1996]

..ok...it's better than anything that MS has to offer. Mac guys...sorry you're soooo insignificant...and when Linux get just a little further down the road...we'll all be better for it.
(why do the Mac people trash Linux so badly when their OS is based on Linux...?' eh?)

[rubenerd]

I'm a Mac user and I love Linux. Most Mac users I know acknowledge Linux as a positive force. Please don't whitewash entire groups of people.

Oh and for the record, Mac OS X is not based on Linux. Please check your facts before submitting such comments.

[Tbird1996]

..ok...it's better than anything that MS has to offer. Mac guys...sorry you're soooo insignificant...and when Linux get just a little further down the road...we'll all be better for it.
(why do the Mac people trash Linux so badly when their OS is based on Linux...?' eh?)

[The_Decider]

At least Windows fans are consistently idiotic. More secure doesn't mean flawless. It means it is more secure then IE. That is fact. Deal with it, grow up, and stop letting MS do your thinking for you.

[FrankTurd]

Too funny. All the hype and Firefox 3 puts the users are risk right off the bat. What a piece of crap. Security my butt.

[DJRWolf]

Early security bugs like this is one of the reasons why I have not upgraded yet. The other being I'm waiting for add-on's to update to 3 from 2.

[rklrkl]

I defniitely think whoever found this flaw sat on it, potentially for weeks, until the Firefox 3 final version was released to get maximum publicity. Not only does Firefox 2 have this flaw, but so would all the many Firefox 3 pre-releases, especially the release candidates. Remember that the Firefox 3 final build date was actually 29th May on Windows/Linux, some 3 weeks before the final was formally released. If the flaw discoverer sat on the bug without telling Mozilla for weeks, then that's gross negligence and unless someone can prove otherwise, I think that's the far more likely scenario.

[pretenderkc]

folks, let me just make it simple.
FF or IE or whatever, there will be always a FLAW.
software is designed and written by human.
and human ain't perfect and that's the weak link.
one might claim otherwise.

there are people who enemy #1 to Microsoft but you have to thank Microsoft for what computer became today.
true that Microsoft might step on a foot here and there, low punch here and there, but think about it, which company at Microsoft position didn't play the same trick?
and this is true for other industry as well....including politicians.

considering that IE is the top guy, u know there are a lot of people who want to topple it.

yesterday was the first time i checked out FF.
downloaded it.
installed it.
play wth it for a couple hrs.
uninstall it on the same day!!!
FF can't even render the webpage correctly.
FF will always be like Linux.
fun to play with but if u want something productive, it will be always Microsoft.

though, i have to praise the folks at FF and others like Linux and MicroSystem.
without them, Microsoft wouldn't move their big ass to improve their product.
so, competition is good for the consumer.

long live the REVOLUTION!!!!

[rubenerd]

"FF will always be like Linux. fun to play with but if u want something productive, it will be always Microsoft".

Most websites are running on free and open source software, not Microsoft IIS. Google uses thousands of Linux servers. MacBooks are the best selling laptops at universities. Productive and Microsoft in the same sentence? Jeez!

"which company at Microsoft position didn't play the same trick?"

Unfortunately true. This is why open standards are so critical, and why Microsoft doesn't like them.

"but you have to thank Microsoft for what computer became today."

I assume you're referring to workstations and personal computers. Slow, inneficient, insecure and buggy? We have Microsoft to thank for that for sure! And don't get me started on how Internet Explorere sucessfully held back the intertubes for such a long time.

[Alacastor]

"FF can't even render the webpage correctly."

And you're saying IE can? Did you see how IE7 did on the Acid3 test? It was quite pathetic. Firefox 3 had decent results

[pretenderkc]

@rubenerd:

as to open source, you have to look and think further....
do you want 10 different flavors of Linux or Windows or OSX?
and do you think software developer have time and resources to support all the flavors?
not likely.

yes, i agree open source is good for something but not all things.

"Most websites are running on free and open source software, not Microsoft IIS."

true.
but that doesn't mean Santa Clause is real b/c 99% of the kids believe in it.
banks and big business still use IIS.
i personally prefer IIS b/c the PAID product has support and documentations.
now, if the open source has support and doc and easier to develop, i wouldn't hesitate to jump ship.
unfortunately, that's not the case at the present time.

[pretenderkc]

@Alacastor:

ACID3 test?
does it matter if it fail or pass some schmuck test?
what important to me is my daily workflow and the website i mostly visited.
if FF failed that, i don't care if it passed ACID3 or ACID10.

[Pharaoh630]

No application, software, etc. is ever 100% secure. This is no surprise, that's why patches are made available to users. Hopefully they're able to correct the vulnerability in a timely fashion, before users fall victim to malicious code.

[Philstera]

How embarrassing

[james.grimes]

pjhenry1216, I agree. There is just too much of a coincidence there. It seems very fishy.

Kwasiowusu, use a spell checker. And yes, they even have them available for those whom would rather use closed-source Internet Exploder (sorry, I meant Explorer)