Firefox 3.5's First Vulnerability "Self-Inflicted"

CWmike writes "Mozilla has confirmed the first security vulnerability in Firefox 3.5, saying that the bug could be used to hijack a machine running the company's newest browser. A noted Firefox contributor called the situation 'self-inflicted' and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database. The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. '[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code,' Mozilla's security blog reported Tuesday."

Re:WTF

[maxume]

So when they know about and are actively working on fixing a bug that is an exploit vulnerability, you think they should do it in public?

I get the argument that telling your users about it means that they can protect themselves (say, by running noscript), but for a consumer facing organization like Mozilla, the majority of users aren't going to notice or do anything.