According to Tipping Point's Zero Day Initiative, the vulnerability, which it rates as critical, was reported within the first five hours of Firefox 3's release.
"Once the vulnerability was verified in TippingPoint's DVLabs and acquired from the researcher, the vulnerability was promptly reported to the Mozilla security team," said a representative.
Although the Zero Day Initiative team does not offer specifics until the vendor has a chance to patch it, the blog post did say this vulnerability, which also affects Firefox 2, requires user interaction and could result in an attacker executing arbitrary code.
Mozilla is reported to be working on a fix.
The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.
I recently spoke with Johnathan Nightingale, Mozilla's "Human Shield," the man who designed the security interface within Firefox 3. One of the big changes is how Firefox communicates the authenticity of a given site. Located on the left hand side of the address bar is a tiny icon associated with the site. Sites using Extended Verification Secure Socket Layers (EV SSL) go an additional step.
Nightingale explains: "If you go to PayPal.com, for instance, that will expand out and it'll say PayPal Inc USA because PayPal is a site that presents this enhanced identity information and so, because they're presenting it to the browser we can present it our users and if you click that button and you get a bunch of more information. You get this little site identity pop up basically. It'll tell you that this PayPal Inc is located in such and such a place in the United States, and there's even a 'more information' button that'll talk about your history with that site; how many times have you visited it before; all in an effort to help you understand whether this is the site you think it is and what the state of your relationship with that site is.
"Now, as for how Larry figures into all of that--the icon we chose to communicate this identity checking is a passport officer. When you click this icon, which is available on any Web site, whether it has completely verified identity information or no information at all, you can always click the button and find out more about the Web sites that you're interacting with. You'll always see the little passport officer to indicate that we're checking identity credentials right; we're looking into the site; we're trying to verify the information so we can present it to you so that you can make an informed decision about the sites that you're interacting with.
"A lot of sites these days aren't providing any identity information and that's okay. If you don't need to trust them, if you don't need to exchange any confidential information with them, then maybe you don't care if they're identifying themselves. But sites like banks or even government sites for that matter, we're hoping that as more and more of them deploy this extended identity information our users will have a much better sense of who they're interacting with and will develop a confidence that they're on the site they appear to be on."
So how did Larry get his name?
"I was doing the initial designs we had this passport guy in there and I was trying to find a way to introduce him to people and to talk about him and stuff. It gets sort of cumbersome to keep talking about the AIGA public domain icons or passport officer. He just seemed like a friendly guy to me and Larry seemed like a friendly name. I mean he's approachable, he's there to watch out for you, so it just made sense. It's not named after anyone in particular, although if there's Larry out there that wants to claim the title they're welcome to do so."
My entire interview with Johnathan Nightingale can be heard here.
Correction at 7:50 a.m. PDT: The spelling of Johnathan Nightingale has been fixed.
At least one security feature won't make it into the final release of Firefox 3 on June 17, Mozilla confirmed again Thursday.
The feature, Private Browsing, would have disabled all caching, cookie downloads, history records, and form data used during the current session. In essence, you could surf the Web and leave no fingerprints.
"It basically said to the browser: I would like what I'm about to do to not be logged anywhere," said Johnathan Nightingale, Mozilla's "human shield," aka its security user interface designer.
He described the private browsing process as this: you hit a button and everything past that point isn't logged. Then, at some point in the future, you hit the button again and it's as though what you just did never happened.
One possible use might be when someone other than the computer owner uses the browser.
"We looked at ways to do this, but the problem is that it touches a lot of code," Nightingale said. "Because there are such rich interactions with Web sites and mashups and things like that, we didn't want to put in something that was half baked."
You can hear more of my interview with Nightingale on my Security Bites podcast here.
Correction on June 13: The spelling of Johnathan Nightingale has been fixed.
On Wednesday, Mozilla announced next Tuesday, June 17, as "Download Day" for Firefox 3. The company also released Firefox 3 release candidate 3 as a final step toward full release.
With Firefox 3, Mozilla is attempting to set a Guinness Book of World Records for the largest number of software downloads within a 24-hour period. There is currently no Guinness Book record for that accomplishment.
Firefox 3 includes a new rendering engine, so pages load faster. It also uses fewer system resources, addressing a complaint in earlier versions.
On this week's Security Bites podcast, I spoke with Johnathan Nightingale, Mozilla's "human shield," about the security features within Firefox 3, including its antimalware protection and support for Extended Verification SSL.
The current Firefox 3 release candidate, version 3, can be downloaded for Windows, Portable, Mac, and Linux systems.
Updated at 12:30 p.m. PDT on Wednesday with links to the newly debuted release candidate.
If you were planning to host a Firefox 3 launch party this week, keep that bubbly on ice a bit longer.
Mozilla on Wednesday released Firefox 3 Release Candidate 3. Windows and Linux users won't likely feel a thing; the new browser is considered stable on those platforms.
The extra release candidate addresses some lingering issues on the Mac OS X operating system. The changes are internal.
The previous test version, Firefox 3 Release Candidate 2, can also be downloaded for Windows, Portable, Mac, and Linux systems.
On Friday Opera announced that version 9.5 of the browser (download Opera 9.5 beta for Windows or Mac) will include built-in antimalware protection from Haute Secure (download for Windows 32-bit or Windows 64-bit).
This is, of course, to counter the antimalware protection built into Firefox 3, currently available as a final release candidate (download for Windows or Mac). Firefox uses data from Google and StopBadware to block a site before it loads on your browser.
Haute Secure counters that its offering is better because it relies upon a community of dedicated users to inform the product when to block and when not. In testing at CNET, the latest version of Haute Secure still misses some recently published phishing sites, while Firefox 3 RC2 blocked them immediately.
How did that happen? Haute Secure explains that the APIs provided by antiphishing sites such as PhishTank won't update until the site is confirmed to be bad, whereas Google can make that determination on its own. Still, Haute Secure prevents malicious sites (as opposed to mere phishing sites) from loading, and provides more information about those sites than does Firefox 3.
Haute Secure was founded by a group of former Microsoft employees, and its flagship product came out of beta in March.
Mozilla hopes to set a world record for the most downloads within a 24-hour period on the day Firefox 3 is released (currently expected to be in June).
The online edition of Guinness Book of World Records does not list a current record for most downloads within 24 hours.
The final release candidates for Firefox 3 are showing a number of improvements, including greater rendering speed, the use of fewer resources, and more baked-in security features than other browsers.
To help Mozilla set a world record, the foundation recommends the following:
- Sign up to get the final copy of Firefox 3 on Download Day.
- Host a Download Day Fest on Firefox 3 launch day at your school, office, or anywhere with an Internet connection.
- Become a Firefox campus representative and collect pledges from fellow students.
- Add Mozilla buttons and banners to your site, blog, or profile.
To get people excited, Mozilla has provided a map showing pledges to date along with more details.
Safari users may be subject to crashes or interactions with an attacker's malicious site, according to a warning posted on Tuesday on BugTraq .
Researcher Juan Pablo Lopez Yacubian is credited with finding multiple vulnerabilities in Apple Safari 3.1.1 for Windows. Other versions of Safari may also be affected.
Among the vulnerabilities cited are a denial-of-service (crash) vulnerability caused by a write-access violation, a denial-of-service (crash) vulnerability caused by a read-access violation, and a third vulnerability that allows attackers to spoof the content contained in the address bar. A full write up can be found here .
In a separate mailing to Bugtraq, Juan Pablo Lopez Yacubian says he was also able to use a similar exploit to crash Mozilla Firefox 3 beta 5.
That said, the general workaround is not to use Safari 3.1.1 for Windows until Apple issues a fix. Versions of Firefox 2.x and Opera are recommended.
- prev
- 1
- next
