Firefox 3 Ships, Vulnerability Discovery Follows

Posted 06/20/2008 at 1:41pm | by Mark Edward Soper

3

Comments

Print

Fast Work, or Waiting for Maximum Exposure? It's Your Call

Just five hours after Firefox 3 was released to a waiting world, TippingPoint's Zero Day Initiative was informed of a serious vulnerability in the brand-new browser, IDG News Service reports. That's fast work, but some are wondering about the timing of the information, since the vulnerability also affects Firefox 2. Why wait until Firefox 3 is barely out of the chute?

Ryan Naraine of ZDNet's ZeroDay blog puts it this way:

It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.

Or, to put it more bluntly, cha-ching!

How Much Can You Earn?

The Zero Day Initiative Benefits page doesn't list a specific amount for a single reported vulnerability, citing these factors in determining the valuation:

• Is the affected product widely deployed?
• Can exploiting the flaw lead to a server or client compromise? At what privilege level?
• Is the flaw exposed in default configurations/installations?
• Are the affected products high value (e.g. databases, e-commerce servers, DNS, routers, firewalls)?
• Does the attacker need to social engineer his victim? (e.g. clicking a link, visiting a site, connecting to a server, etc.)

The fact that Firefox, with millions of active users, is the target, suggests that the researcher reporting the vulnerability earned a decent fee for his or her discovery. However, Zero Day Initiative also offers a multi-tiered loyalty program to threat researchers, not enough to make you quit your day job, but a helpful incentive to keep looking for vulnerabilities. For my thoughts, and how to protect yourself until an update is released, see page 2.