Mozilla Firefox 3 Needs A Fix Already

Mozilla may have broken two records. One for the most downloads in a 24 hour period. The second for needing a vulnerability fix only 5 hours after being released. The latter I am sure was not expected. But what the heck. Nobody is perfect and the folks at Mozilla are only human. It is going to be interesting to see how quickly this can be fixed.

TippingPoints / DV Lab reports:

A number of people who monitor our Zero Day Initiative’s Upcoming Advisories page noticed yesterday that we reported a vulnerability to Mozilla (ZDI-CAN-349).  Taking into account the coincidental timing of the Firefox 3.0 release, many are asking us if this is the first reported critical vulnerability in the latest version of the popular open source browser.

What we can confirm is that about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.

I am sure the folks at Mozilla might feel that this could put a damper on their world record for downloads. I don’t believe it will. What is unfortunate is that this was not found before the final release.  :-(

Comments welcome.


Article Written by

I have been writing for Lockergnome for eight years.

  • the oracle

    Haste makes waste. Doing a final run through of the code is more important than meeting a self-imposed deadline – then again, perhaps the coders don’t grasp the problem yet.

    Staying with 2.x seems to have no benefit, so most will probably continue downloading with abandon.

  • Xyem

    I don’t see what the big deal is with this. Most ( if not all ) software ships with bugs/vulnerabilities which need fixing. This just means that one was _found_ within 5 hours which isn’t inherently bad.

    Issues found sooner are issues fixed sooner.

  • MKx

    It was in FF 2.0 as well, so it has nothing to do with “rush” release, it’s just that any code bound to have something like that, you just eliminate as much as you can.

    Plus it looks like the “researcher” was holding this vulnerability for Firefox 3.0 final release to make the sale.

  • tony bishop

    FF id not break any record – there was none to break!

  • Ron Schenone

    Thanks for all of the comments everyone.
    I guess we should call it a ‘new record’. :-)

    MKx – I thought that might be the case. Makes one wonder why? Since RC1 most likely had the same exploit.

    Thanks again, Ron

  • TomWij

    FF3 scrolls slow on various websites here, doesn’t matter if Smooth Scrolling is on or of… Didn’t had this problem on FF2.

  • CoolFinalFan

    Firefox 3.0 crashed on me twice after re-install twice , it still crashed , better yet it didn’t even open but just crashed, I switched to using Opera’s newest version!!

  • darkally

    is it just me or does ff3 crash more frequently than ff2 did?