Five hours after Mozilla officially released Firefox 3.0, researchers found a vulnerability in the new browser.
TippingPoint, a provider of network-based intrusion prevention systems, was informed about existing security issues in Mozilla Firefox 3.0 through its program Zero Day Initiative (ZDI) that rewards security researchers for exclusive information disclosing vulnerabilities founded in software products.
Even the new security features of Firefox 3.0 have the main priority to maintain personal information safe and to protect users from phishing and malware, TippingPoint confirms the existence of a critical vulnerability of high severity that affects Mozilla Firefox 3.0 (ZDI ID: ZDI-CAN-349) and prior versions of Firefox 2.0.x: "We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after.
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page."
In response to this security report, Mozilla Security Blog posted, "This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the current risk to users".
If other security reports are taken into account, like the one found on SecurityFocus website which deals with an unspecified buffer overflow vulnerability (boundary condition error), the new security improvements from Firefox 3.0 are not powerful enough for present pishing and malware threats. In conclusion, having in mind that over 14 millions downloads of Mozilla Firefox 3.0 have been performed, users' computers are in potential danger until the security patches are released to fix the existing vulnerabilities.
The issue affects users of Firefox 3.0 as well as Firefox 2.0.
