Print
Just five hours after Firefox 3 was released to a waiting world, TippingPoint's Zero Day Initiative was informed of a serious vulnerability in the brand-new browser, IDG News Service reports. That's fast work, but some are wondering about the timing of the information, since the vulnerability also affects Firefox 2. Why wait until Firefox 3 is barely out of the chute?
Ryan Naraine of ZDNet's ZeroDay blog puts it this way:
It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.
Or, to put it more bluntly, cha-ching!
The Zero Day Initiative Benefits page doesn't list a specific amount for a single reported vulnerability, citing these factors in determining the valuation:
The fact that Firefox, with millions of active users, is the target, suggests that the researcher reporting the vulnerability earned a decent fee for his or her discovery. However, Zero Day Initiative also offers a multi-tiered loyalty program to threat researchers, not enough to make you quit your day job, but a helpful incentive to keep looking for vulnerabilities. For my thoughts, and how to protect yourself until an update is released, see page 2.
I like rewards for discoveries, but in this case, it's possible that the researcher may have decided that a bigger paycheck was worth putting millions of new (and old) Firefox users at risk. Although the threat can only be exploited by a user clicking on a link, and the original enthusiat audience for Firefox is probably smart enough to avoid no-name websites and suspicious emails, chances are good that the Firefox 3 feeding frenzy has put Firefox into the hands of a lot of naive computer users who aren't as careful.
It probably won't take long for Mozilla to roll out a point release of Firefox 3 to stop this particular threat, but in the meantime, many Firefox users are recommending using the NoScript extension, now available in a brand new version here. Based on the slow response of the Mozilla Addons server when I checked it on Friday, it looks as if NoScript is a very popular workaround right now.
Links:
[1] http://www.maximumpc.com/user/marcus_soperus
[2] http://www.maximumpc.com/article/web_news_mid_june_edition
[3] http://www.zerodayinitiative.com/
[4] http://fe66.news.sp1.yahoo.com/s/pcworld/147277
[5] http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30
[6] http://blogs.zdnet.com/security/?p=1288
[7] http://www.zerodayinitiative.com/about/benefits/
[8] http://www.maximumpc.com/article/download_day_take_2
[9] https://addons.mozilla.org/addon/722
[10] http://www.maximumpc.com/article/news/download_day_take_2_updated_with_final_stats
[11] http://www.maximumpc.com/article/daily_news_brief_hacking_firefox_3
[12] http://www.maximumpc.com/article/tech_news_trio_terms_service_ii_sequel_firefox_3b5_and_sp3_signs_spring
[13] http://www.maximumpc.com/tags/firefox_3
[14] http://www.maximumpc.com/tags/mozilla
[15] http://www.maximumpc.com/tags/vulnerability
[16] http://www.maximumpc.com/articles/news/windows
[17] http://www.maximumpc.com/tags/zero_day_exploit
[18] http://www.maximumpc.com/articles/news
[19] http://www.maximumpc.com/user/login?&commentfragment=comments_top_anchor