Is the first Firefox 3 vulnerability a 'low blow'?
Mozilla's chief security person Window Snyder wrote on the Mozilla security blog that:
TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that
impacts versions 2.x and 3.0. This issue is currently under
investigation. To protect our users, the details of the issue will
remain closed until a patch is made available. There is no public
exploit, the details are private, and so the current risk to users is
Some might argue that there is some kind of conspiracy afoot here - after all why bring up a flaw now when Firefox 3 has been in development for the last 18 months - perhaps there is an attempt to embarrass Mozilla here.
The timing of the Firefox 3 issue is unfortunate - but Mozilla already had a plan to patch Firefox 3 in its first six week as part of its regular stability and security sweep that it has always done. Frankly I'm glad people like Tipping Point (and the people they pay) find bugs - ultimately it makes software safer for all of us since it's better that the good guys find the issues isn't it?