Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release

Posted by Soulskill on from the sooner-than-later dept.

Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."

7 of 140 comments (clear)

  1. Re:What kept them? by abhishekupadhya · · Score: 1, Insightful

    Also if this was IE, browser fanboys would take the flamebait oh-so-quickly. Every browser has its own issues. Deal with it.

  2. So this just shows, that you can't relax. by Securityemo · · Score: 2, Insightful

    Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

    --
    Emotions! In your brain!
  3. Someone enlighten me by mrsteveman1 · · Score: 3, Insightful

    Why are companies so unwilling to micro-patch their software? If Mozilla has a fix NOW, why are they waiting another ~2 weeks to push it out with the next minor upgrade? Just to avoid making users upgrade too often?

    1. Re:Someone enlighten me by The+MAZZTer · · Score: 2, Insightful

      Because the fix could break other things, or even not actually fix anything or fix the security vulnerability completely, or even cause a different security vulnerability (possibly worse).

      Testing is important, especially when you want to attract users, not drive them away. Unstable software will do that.

  4. Re:OMFG by wizardforce · · Score: 4, Insightful

    Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.

    Secunia: omfg Firefox has a vulnerability!!!
    Mozilla: ok so what are the specifics?
    Secunia: ...
    Mozilla: Hello?
    Secunia: ...
    Mozilla: Anyone?
    Secunia a few days ago: Right then... here are the details...
    Mozilla: *patched beta*

    --
    Sigs are too short to say anything truly profound so read the above post instead.
  5. Re:What kept them? by thetoadwarrior · · Score: 2, Insightful

    If it's patched on March 30 then that's just over a month since it was revealed. That's not too bad and better than Microsoft's record as a whole.

    No one claims Firefox is perfect (or any browser for that matter) but IE gets more grief because it most certainly has more problems than the rest. If it weren't for competition as well we'd probably still be stuck on IE6 too since MS was quite happy to stop updating IE when they thought they had the market cornered.

    So no need to get defensive about an awful browser like IE.

  6. Re:OMFG by recoiledsnake · · Score: 2, Insightful

    Maybe it was more like this:

    Secunia: omfg Firefox has a vulnerability!!!
    Mozilla: ok so what are the specifics?
    Secunia: ... (puts it on black hat exploit auctions)
    Mozilla: Hello?
    Secunia: ... (sells it to the highest bidders)
    Mozilla: Anyone?
    Secunia a few days ago: Right then... here are the details... (Milked it enough)
    Mozilla: *patched beta*

    --
    This space for rent.