Author Topic: Firefox 3.0 zeroday exploit?????  (Read 5324 times)

0 Members and 1 Guest are viewing this topic.

June 19, 2008, 12:51:49 pm
Read 5324 times

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
Quote
http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30

A number of people who monitor our Zero Day Initiative's Upcoming Advisories page noticed yesterday that we reported a vulnerability to Mozilla (ZDI-CAN-349).  Taking into account the coincidental timing of the Firefox 3.0 release, many are asking us if this is the first reported critical vulnerability in the latest version of the popular open source browser.

What we can confirm is that about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.

While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.  Once the issue is patched, we'll be publishing an advisory here. Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well.

For more information on the Zero Day Initiative, you can read an intro.

June 19, 2008, 01:25:53 pm
Reply #1

sowhat-x

  • Guest
Lmao... :D
They waited until v3.0 gets released as final,and disclosed it only afterwards...
The "war of browsers" continues...

June 19, 2008, 05:26:36 pm
Reply #2

sowhat-x

  • Guest

June 20, 2008, 08:54:42 pm
Reply #3

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I wonder if the finder probably knew about this issue in advance of FF3 shipping. Somehow I think they did... :(

TJS

June 21, 2008, 01:21:22 am
Reply #4

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190

June 24, 2008, 09:36:05 am
Reply #5

strasharo

  • Newbie

  • Offline
  • *

  • 1
I wonder if the finder probably knew about this issue in advance of FF3 shipping. Somehow I think they did... :(

TJS
In my opinion the finder did. He waited for the release of 3.0 final so he can sell the exploit at a higher price to ZDI.

June 24, 2008, 05:20:43 pm
Reply #6

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
No doubt.. :/ Stuff like this really sucks. This is why people shouldn't pay for exploits.