Fast Work, or Waiting for Maximum Exposure? It's Your Call
Just five hours after Firefox 3 was
released to a waiting world
Zero Day Initiative
was informed of a serious vulnerability in the brand-new browser, IDG News Service
. That's fast work, but some are wondering about the timing of the information, since the
also affects Firefox 2. Why wait until Firefox 3 is barely out of the chute?
Ryan Naraine of ZDNet's
puts it this way:
It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.
Or, to put it more bluntly, cha-ching!
How Much Can You Earn?
The Zero Day Initiative
doesn't list a specific amount for a single reported vulnerability, citing these factors in determining the valuation:
Is the affected product widely deployed?
Can exploiting the flaw lead to a server or client compromise? At what privilege level?
Is the flaw exposed in default configurations/installations?
Are the affected products high value (e.g. databases, e-commerce servers, DNS, routers, firewalls)?
Does the attacker need to social engineer his victim? (e.g. clicking a link, visiting a site, connecting to a server, etc.)
The fact that Firefox, with millions of active users, is the target, suggests that the researcher reporting the vulnerability earned a decent fee for his or her discovery. However, Zero Day Initiative also offers a multi-tiered loyalty program to threat researchers, not enough to make you quit your day job, but a helpful incentive to keep looking for vulnerabilities. For my thoughts, and how to protect yourself until an update is released, see page 2.
I like rewards for discoveries, but in this case, it's possible that the researcher may have decided that a bigger paycheck was worth putting millions of new (and old) Firefox users at risk. Although the threat can only be exploited by a user clicking on a link, and the original enthusiat audience for Firefox is probably smart enough to avoid no-name websites and suspicious emails, chances are good that the
Firefox 3 feeding frenzy
has put Firefox into the hands of a lot of naive computer users who aren't as careful.
In the Meantime...
It probably won't take long for Mozilla to roll out a point release of Firefox 3 to stop this particular threat, but in the meantime, many Firefox users are recommending using the NoScript extension, now available in a brand new version
. Based on the slow response of the Mozilla Addons server when I checked it on Friday, it looks as if NoScript is a very popular workaround right now.