Security Wonks Reveal Holes in Firefox Straight Out of the Gate
Firefox developers worldwide spent months vetting and testing the many betas and release candidates that Mozilla served up. After all that poking and prodding, the final version still had at least one security flaw, which TippingPoint's DVLabs held up to the light Wednesday. The security researchers haven't offered details on how the exploit works, but they have notified Mozilla, which is presumably working on a fix.
Jun 19, 2008 2:29 PM PT
As Mozilla went after a Guinness World Record for the most downloads in a 24-hour period with its release of Firefox 3, it didn't take security researchers long to drop a bomb on all the browsing fun. TippingPoint's DVLabs reported that its Zero Day Initiative (ZDI) program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x.
Are 8 million newly minted Firefox 3 surfers taking to the Web with a broken browser?
Broken, of course, is just a fancy alliteration. In reality, DVLabs and Mozilla are both keeping the details under wraps, so it's hard to say how vulnerable Firefox 3 actually is.
"Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser-based vulnerabilities that we see these days, user interaction is required such as clicking on a link in e-mail or visiting a malicious Web page," DVLabs noted.
So how does a vulnerability slip past all the planning and building and testing that goes into a widely used browser like Firefox? With the many betas and release candidates Mozilla put out prior to the official launch, wasn't there ample opportunity to find the problem earlier?
DVLabs verified the vulnerability, acquired it from the researcher, then reported it to Mozilla. DVLabs will keep quiet about the details -- at least for an undisclosed time period -- to give Mozilla time to issue a bug fix.
TippingPoint buys the vulnerabilities from security researchers, whom some simply call "hackers." Good and bad intentions aside, TippingPoint purchases vulnerabilities based on the severity of the flaw and the scope of the problem. The more downloads and hype there is surrounding a flaw, the more important it is; therefore, there's a better chance the seller will fetch a better price.
In this case, the security researcher wants to remain anonymous, and TippingPoint will keep the seller's identity under wraps.
DVLabs did not respond to a request for comment. Mozilla pointed to its security blog, which offered few additional details.
"This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the risk to users is minimal," noted Windows Snyder, Mozilla's security team leader.
The big question now, of course, is when might Mozilla complete a fix.
"Considering how high-profile it is, I'd highly suspect a very rapid fix," Rich Mogull, an independent security consultant with Securosis.com, told LinuxInsider.
"Maybe days at the worst, but it's hard to guess. It really depends on the nature of the vulnerability and the work required to generate and properly test a fix," he added.
As for actual risk to users, Mogull said the risk is quite small. "As part of the ZDI program, no vulnerability details are released, and whoever found it is legally barred from releasing details. While they could break that contract, then they don't get paid," he explained. They could also open themselves up to a lawsuit, he added.
Both Clean and Risky
Unfortunately, the mere avoidance of questionable porn sites and infected file-sharing networks cannot guarantee a Web surfer will stay safe from maliciously crafted links. Even squeaky clean surfers can find themselves at risk.
"Thanks to cross-site scripting, we've seen even trusted sites become a vector for browser-based attacks," Mogull said, though he did note that this particular issue doesn't seem to exist in the wild, and that it should be fixed soon anyway.