Only hours after Mozilla launched the final of Firefox 3.0, a researcher sold a critical vulnerability in the browser to TippingPoint's bug bounty program, the security company acknowledged Wedesday.
The bug has been reported to Mozilla, TippingPoint announced in a post to a company blog. "While Mozilla is working on a fix, we won't be divulging anything else until a patch is available," said TippingPoint, citing policy. "Once the issue is patched, we'll be publishing an advisory."
The Austin, Tex.-based security vendor operates the Zero Day Initiative (ZDI), one of two prominent vulnerability purchasing programs, and regularly buys bugs from independent researchers, then reports the flaws to the appropriate vendor. It's perhaps best known for sponsoring an annual hacking contest, in which researchers try to break into stock Windows, Mac OS X or Linux laptops, at the annual CanSecWest security conference.
TippingPoint released little information about the Firefox bug other than to confirm that it affects the new Firefox 3.0 as well as older 2.0 versions. TippingPoint classified the vulnerability as "critical" and said it could be used to execute remote code. There is one caveat, however, said TippingPoint. "Not unlike most browser-based vulnerabilities that we see these days, user interaction is required, such as clicking on a link in e-mail or visiting a malicious Web page."
The company didn't hint whether the vulnerability was present in all editions of Firefox 3.0, or was specific to one operating system. However, it hinted that a patch might come quickly. "Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well," said TippingPoint.
Mozilla regularly touts its patch speed when it defends its security record. Last January, for instance, Window Snyder, the open-source vendor's chief security executive, rebutted a news report that claimed Firefox was less secure than Microsoft's Internet Explorer by noting that Mozilla patches faster than Microsoft. "At Mozilla we work as hard as we can to ship fixes as soon as possible to minimize the exposure to our users," she said then in a post to the company's security blog.
Mozilla was not available late Wednesday for comment or to answer questions.
Firefox 3.0, released Tuesday, was downloaded more than 8.3 million times in its first 24 hours of availability.
(Read Firefox 3.0 review here).
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
AOC Launches 18.5” Widescreen Green 16:9 LCD Monitor in Australia and New Zealand 2008-12-03 15:30:00+11
FrontRange Solutions eases software license management with new License Manager 3.0 2008-12-03 14:56:00+11
Progress Software's Cure for Managing Services-based Applications 2008-12-03 14:42:00+11
S3 Graphics Unleashes Full OpenGL® 3.0 API Support with Beta Driver for Chrome 500 Series GPUs 2008-12-03 14:08:00+11
Informatica Powercenter added to Nec Infoframe Solution Suite 2008-12-03 11:36:00+11
Discover the advantages of an open architecture multi-vendor network solution
View this webcast and discover the drivers for changing network design practices, why many organisations are changing their approach to network architecture and how enterprises should be moving forward with open architecture multi-vendor network solutions. Register now and learn how your business can maximize the business value of the enterprise network.
Buying Guides
Latest Products
Buying Guides
