From the
“
tomato, tom-ah-to
”
files:
Mozilla Firefox 3 is at risk from a new flaw that is currently unpatched. Whether the flaw is high or low risk depends on who you ask (or read).
This AM Radware issued a press release calling the vulnerability – critical. I contacted Mozilla and a few hours later they had an advisory up on their site calling the vulnerability – low risk.
Mozilla explains the vulnerability to be:
A null pointer dereference in the content layout component of Firefox
allows an attacker to crash the browser when a user navigates to a
malicious page.
As a mitigating factor, Firefox’s session restore will allow a user to restart their browser and be taken back to where they left off. The vulnerability requires that a user visits a malicious site with the malicious code on it, but as far as I can tell it does not require any further user interaction.
In my book, any flaw that does not require user interaction is significant.
True the impact is limited, and Mozilla notes that the issue is under investigation. But I hope that we see an incremental patch for this issue before I see a module for it up on Metasploit.