Firefox 3.5 zero-day flaw fixed in Firefox 3.6

From the ‘no that’s not a typo‘ files:

On Tuesday, I wrote about the new critical 0-day flaw that is now publicly available for Firefox 3.5.  As of 10 AM ET today there is no publicly released fix for regular Firefox 3.5 users, but users of the next generation Firefox 3.6 browser are already covered.


Mozilla staffer Daniel Veditz commented on the Mozilla security blog that the Tuesday nightly build of Firefox 3.6 had a fix in it for the critical JavaScript flaw. Firefox 3.6 currently has a pre-alpha build as well as a nightly build available that is updated (by definition) every night.

“It was checked in
yesterday, a few hours _before_ we learned of the milw0rm posting,” Veditz wrote. “This
fix was going to be in the 3.5.x update we had scheduled for the end of
July, but obviously now we have moved up the schedule for release.”

Considering that the JavaScript attack has now been weaponized on Metasploit and there are millions of Firefox 3.5 users (likely not millions yet for the 3.6 nightlies) – the obvious questions to ask is why 3.6 first?

News Around the Web