Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.5's First Vulnerability "Self-Inflicted"

Posted by CmdrTaco on from the that-sounds-all-emo dept.

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

7 of 156 comments (clear)

  1. Re:WTF by bunratty · · Score: 4, Insightful

    You mean that you actually want example exploit code to be available to everyone? Why?

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  2. Re:WTF by maxume · · Score: 5, Insightful

    So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

    I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.

    --
    Nerd rage is the funniest rage.
  3. MOD PARENT UP by argent · · Score: 4, Insightful

    Mod Parent Up "this should have been in the summary, Taco".

  4. Re:Nice test for the open source community by fedxone-v86 · · Score: 3, Insightful

    They haven't released an update yet though, which is probably the more interesting event.

    That's true of course. And I don't want to split hairs but point out the open source nature of the Firefox browser:

    The patch is already available.

    --
    (USER WAS PUT ON PROBATION FOR THIS POST)
  5. Re:Foundation, Not a Company by Anonymous Coward · · Score: 4, Insightful

    Geezus....I should probably stop reading this site, it seems that everyone is so sure of themselves and are ALWAYS in the right that you actually have time to quabble over insignificant details. yeah he may have been incorrect (doubtful!) but do really think that the point was lost to anyone that read it? or caused ANY confusion? Why bother then?

    get over yourselves, we aren't all born perfect, and may make mistakes. There is absolutely no reason to jump all over somebody for such a piddly mistake, EXCEPT TO BOOST YOUR OWN EGO!

    rant off....

  6. Re:Nice test for the open source community by jank1887 · · Score: 4, Insightful

    But, the majority of users only update firefox when it pops up a "hey, there's an update. Click here!" prompt.

    The issue is unfixed for 90% of users until that occurs.

  7. Why do we trust Javascript all of a sudden by onlyjoking · · Score: 3, Insightful

    Is it just me who remembers the days when the only way to browse safely was to turn off Javascript? Now we're all drinking the web 2.0 kool aid it seems we've forgotten how many browser vulns are Javascript-related. Websites should never depend on Javascript to function properly but now we have point 'n click JQuery, Dojo etc. it seems websites are built on Javascript foundations with all the security issues that implies.