News

Firefox 3 Ships, Vulnerability Discovery Follows

comment Commentsprint Printemail EmailDeliciousDiggStumbleUponReddit

 

Protecting Firefox 3 from zero-day exploit

 

Fast Work, or Waiting for Maximum Exposure? It's Your Call

Just five hours after Firefox 3 was released to a waiting world, TippingPoint's Zero Day Initiative was informed of a serious vulnerability in the brand-new browser, IDG News Service reports. That's fast work, but some are wondering about the timing of the information, since the vulnerability also affects Firefox 2. Why wait until Firefox 3 is barely out of the chute?

Ryan Naraine of ZDNet's ZeroDay blog puts it this way:

It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.

Or, to put it more bluntly, cha-ching!

How Much Can You Earn?

The Zero Day Initiative Benefits page doesn't list a specific amount for a single reported vulnerability, citing these factors in determining the valuation:

 

  • Is the affected product widely deployed?
  • Can exploiting the flaw lead to a server or client compromise? At what privilege level?
  • Is the flaw exposed in default configurations/installations?
  • Are the affected products high value (e.g. databases, e-commerce servers, DNS, routers, firewalls)?
  • Does the attacker need to social engineer his victim? (e.g. clicking a link, visiting a site, connecting to a server, etc.)

The fact that Firefox, with millions of active users, is the target, suggests that the researcher reporting the vulnerability earned a decent fee for his or her discovery. However, Zero Day Initiative also offers a multi-tiered loyalty program to threat researchers, not enough to make you quit your day job, but a helpful incentive to keep looking for vulnerabilities. For my thoughts, and how to protect yourself until an update is released, see page 2.

COMMENTS
avatarThe difference is

That the Firefox developers will quickly find a fix and deploy it in a timely manner. That is not the case with some other browsers, who shall remain nameless. I am actually glad that this was found in Firefox, now it can be corrected and we can move on with our lives.

It is curious that the exploit was brought to light after v3.0 was released sinceit also affected FF 2.0 as well. Sour grapes maybe?

Login or register to post comments
avatarFirefox

Apple has secret agents that dress and act like open source junkies. Although I only have circumstantial evidence to this I believe these agents actively work on destroying non-apple made software like Firefox and IE6-7 because they are direct competitors to Apple's stupid Safari browser.

Login or register to post comments
avatarEvery release has a bug or

Every release has a bug or set back, can't blame a company for missing something here or there.
A+, MCDST

Login or register to post comments
RESOURCE CENTER

KICK ASS OFFERS

THIS MONTH's ISSUE
FEATURE Awesome Upgrades: The best PC upgrades in every price range.HOW TO Connect your PC to your surround-sound audio systemProtect Your PC We put 10 of the most popular antivirus programs to the test to see which will protect you best. Android Revealed Find out how the Google-powered HTC G1 stacks up against its rivals.

Don't have an account? Register Now! Forgot password?