TippingPoint‘s Zero Day Initiative, an organization of researchers specializing in discovering and providing software vulnerability information, has discovered and disclosed to the public Wednesday, June 18th, a HIGH-rated vulnerability found in the newly released Mozilla Web browser Firefox 3.0. It is also found to affect versions 2.x.x of Firefox.
Mozilla confirms the existence of the threat, but contradicts the rating given by Tipping Point, elaborating that the new-found flaw poses minimal risks, since part of the exploit cycle requires user interaction, such as clicking on a email link or unknowingly visiting Web sites that are found to be malicious, for the vulnerability to be exploited completely. Window Snyder, chief security officer of Mozilla, has this to say about reporting bugs:
At Mozilla we appreciate any report of security issues because that is how we make the browser stronger and more secure. The best way to keep Firefox users safe is to report the issues directly to Mozilla as TippingPoint has chosen to, and to wait to release details until a fix is available.
A researcher, who is opting to remain anonymous, is said to have reported the vulnerability first five hours after the latest installment of Firefox is made available for download. And this incident has hardly escaped the critical eye of several security-concerned users, crying out ‘foul play’ as they speculate over the deliberate untimely reporting of the said browser flaw that should have been done before the official release of the browser.
As of this writing, Mozilla has yet to work on a patch. Trend Micro advises Firefox users to monitor this page for an announcement or advisory that addresses this vulnerability, which we hope would be up soon.