Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK
clubs:
 ·MTA Online
| Firefox 3 Vulnerability Found
said by Nancy Gohring, IDG News Service :
Five hours after Mozilla officially released Firefox 3.0, researchers found a vulnerability in the new browser.
Tipping Point has verified the bug and reported it to Mozilla, Tipping Point said on Wednesday.
Since Mozilla is still working on a fix, the researchers won't share details about the problem. Tipping Point ranked the severity of the vulnerability as high, but said that users would have to click on a link in an e-mail or visit a malicious Web page before being affected. The issue affects users of Firefox 3.0 as well as Firefox 2.0.
Once the problem is fixed, Tipping Point will publish an advisory on its Web site, it said.
More here. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs: | Well, that didn't take long.  |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA | Sounds like Window Snyder brought more from Microsoft with her than the Mozilla folks hoped  |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to Owlbet
there was is also this mention
»Re: Firefox 3.0 to be released today
Cudni |
|
pepperxn
join:2001-02-21 | reply to Owlbet
This flaw was most likely found before the final release, and whoever found it waited until after the 3.0 final release before mentioning it. |
|
33591094
join:2002-11-19
Canada
| said by pepperxn  :This flaw was most likely found before the final release, and whoever found it waited until after the 3.0 final release before mentioning it. No doubt whatsoever...
Thankfully this is Mozilla we're talking about, and not MS or Apple. A fix WILL be along shortly, I have no doubt. |
|
angussf
Premium
join:2002-01-11
Tucson, AZ | reply to Owlbet
The flaw also allegedly affects Firefox 2.x, so it's not a flaw that is new to this version. |
|
major marco
Res Firma Mitescere Nescit
Premium
join:2003-02-13
Stepford, CA
clubs: | reply to Owlbet
This is precisely why I never upgrade the nanosecond the latest version debuts. Mozilla becomes more MS like with each release. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
·AT&T Southwest
| said by major marco :This is precisely why I never upgrade the nanosecond the latest version debuts. Mozilla becomes more MS like with each release. However in this case it affects v 2 as well. The timing is curious however. Let's see how long it takes Mozilla to fix it however remember this appears to be an older vulnerability just discovered. |
|
OneHeart
join:2002-02-20 | reply to Owlbet
We're doomed! 
--
OneHeart |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
·Shaw
| reply to Owlbet
With all due respect to all the developers of every app, it's getting tougher and tougher to write code that covers every base. All the bad guys have to do is write code that finds a flaw. No wonder browsers are getting bloated...
Couple that with the propensity of the average user to be lax in their security settings and you have a winner behind door number 2. But this should have been fixed, IMO.
--
A triple espresso, please... |
|
jmorlan
Hmm... That's funny.
Premium
join:2001-02-05
Pacifica, CA | reply to Owlbet
Why would somebody find a vulnerability and then wait until after a major release to notify the authors? Is he/she going to win a prize or something?
--
"Old age is always 15 years older than I am." (Francis Bacon) |
|
Cabal
Premium
join:2007-01-21
Boston, MA
| reply to major marco
said by major marco :This is precisely why I never upgrade the nanosecond the latest version debuts. Mozilla becomes more MS like with each release. Yes, because not upgrading would keep you safe in this case.  Less trolling, more reading, please.
--
Would you trust a brain surgeon with two years' experience? |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to jmorlan
said by jmorlan :Why would somebody find a vulnerability and then wait until after a major release to notify the authors? "Vandalism" |
|
Jimmy3867
@pldt.net
|  reply to jmorlan
said by jmorlan :Why would somebody find a vulnerability and then wait until after a major release to notify the authors? Is he/she going to win a prize or something? Lol? What prize are you talking about?!! It is all about MONEY brother...
I still remember the days when I used to work for a "security company" where the only thing we do all day is finding flaws on "critical/widely used" software.
After we found one we will contact the developer/company of the product of they flaw and will give then XX days to correct it and after it we will make the flaw/exploit public by publising them at our website and security newsgroups. Depending on the severity of the flaw we discovered, the company will try to negotiate with us for a "reasonable amount of money" in exchange for us keeping the flaw private to the both parties.
And we are talking about huge amount of money here... The highest cut I got overnight is $30,000+ and that is just 5% share of what the "software" company paid us. |
|
SUMware
Premium
join:2002-05-21
| reply to jmorlan
said by jmorlan :Why would somebody find a vulnerability and then wait until after a major release to notify the authors? Is he/she going to win a prize or something? Yes.
The TippingPoint Zero Day Initiative rewards researchers that find and report vulnerabilities.
Here's the original TP report. |
|
AquaSport
California - Sun, Surf, Traffic Jams
join:2007-05-03
California
·Comcast
| reply to 33591094
If this was apple, they'd be "working on a fix" for a few months. 
But, if this was Microsoft, they'd have a fix out the same day - and then they'd realize that they accidentally included a virus in the update or opened a gigantic hole in the system, after millions of computers had downloaded and installed the update, and that would take up all of CNN's headlines for the entire day - and that's no fun for anyone watching the news.  |
|
AquaSport
California - Sun, Surf, Traffic Jams
join:2007-05-03
California
·Comcast
| reply to Jimmy3867
Lol? What prize are you talking about?!! It is all about MONEY brother... I still remember the days when I used to work for a "security company" where the only thing we do all day is finding flaws on "critical/widely used" software. After we found one we will contact the developer/company of the product of they flaw and will give then XX days to correct it and after it we will make the flaw/exploit public by publising them at our website and security newsgroups. Depending on the severity of the flaw we discovered, the company will try to negotiate with us for a "reasonable amount of money" in exchange for us keeping the flaw private to the both parties. And we are talking about huge amount of money here... The highest cut I got overnight is $30,000+ and that is just 5% share of what the "software" company paid us.
go to work today, retire from work tomorrow! |
|
quatrix
Premium
join:2005-02-11
Davie, FL
| reply to major marco
said by major marco :This is precisely why I never upgrade the nanosecond the latest version debuts. Mozilla becomes more MS like with each release. Yeah, wouldn't want to expose ourselves to one of these vulnerabilities that affect one or two out of a few million people. |
|
insomniac84
join:2002-01-03
Schererville, IN
| reply to Owlbet
"The issue affects users of Firefox 3.0 as well as Firefox 2.0."
Well clearly this bug has been known for a while and either this was turned in long ago and tipping point held it until now to announce this for the publicity, or the person who submitted it waited until firefox 3 came out because they didn't know it affect firefox 2 and they wanted to meet the rules for getting paid, specifically this rule:
"Is the affected product widely deployed? "
Either way someone sat on this exploit due to the potential for money or publicity so this contest has only accomplished making people less safe since whoever found it did not notify mozilla for it to be fixed quicker. Everyone should applaud Tipping Point for failing so miserably. |
|
