Firefox 3 Ships, Vulnerability Discovery Follows


Fast Work, or Waiting for Maximum Exposure? It's Your Call

Just five hours after Firefox 3 was released to a waiting world , TippingPoint's Zero Day Initiative was informed of a serious vulnerability in the brand-new browser, IDG News Service reports . That's fast work, but some are wondering about the timing of the information, since the vulnerability also affects Firefox 2. Why wait until Firefox 3 is barely out of the chute?

Ryan Naraine of ZDNet's ZeroDay blog puts it this way:

It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.

Or, to put it more bluntly, cha-ching!

How Much Can You Earn?

The Zero Day Initiative Benefits page doesn't list a specific amount for a single reported vulnerability, citing these factors in determining the valuation:

  • Is the affected product widely deployed?
  • Can exploiting the flaw lead to a server or client compromise? At what privilege level?
  • Is the flaw exposed in default configurations/installations?
  • Are the affected products high value (e.g. databases, e-commerce servers, DNS, routers, firewalls)?
  • Does the attacker need to social engineer his victim? (e.g. clicking a link, visiting a site, connecting to a server, etc.)
The fact that Firefox, with millions of active users, is the target, suggests that the researcher reporting the vulnerability earned a decent fee for his or her discovery. However, Zero Day Initiative also offers a multi-tiered loyalty program to threat researchers, not enough to make you quit your day job, but a helpful incentive to keep looking for vulnerabilities. For my thoughts, and how to protect yourself until an update is released, see page 2.

My Take

I like rewards for discoveries, but in this case, it's possible that the researcher may have decided that a bigger paycheck was worth putting millions of new (and old) Firefox users at risk. Although the threat can only be exploited by a user clicking on a link, and the original enthusiat audience for Firefox is probably smart enough to avoid no-name websites and suspicious emails, chances are good that the Firefox 3 feeding frenzy has put Firefox into the hands of a lot of naive computer users who aren't as careful.

In the Meantime...

It probably won't take long for Mozilla to roll out a point release of Firefox 3 to stop this particular threat, but in the meantime, many Firefox users are recommending using the NoScript extension, now available in a brand new version here . Based on the slow response of the Mozilla Addons server when I checked it on Friday, it looks as if NoScript is a very popular workaround right now.

Around the web

by CPMStar (Sponsored) Free to play