Mozilla’s chief security person Window Snyder wrote on the Mozilla security blog that:
TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that
impacts versions 2.x and 3.0. This issue is currently under
investigation. To protect our users, the details of the issue will
remain closed until a patch is made available. There is no public
exploit, the details are private, and so the current risk to users is
Some might argue that there is some kind of conspiracy afoot here – after all why bring up a flaw now when Firefox 3 has been in development for the last 18 months – perhaps there is an attempt to embarrass Mozilla here.
Personally, I don’t see it that way. I’ve spoken with Tipping Point on many occasions about bugs they discover (though not about this one in particular) especially some of the Apple Mac and QuickTime ones – Tipping Point tends to take heat for those too with Mac heads thinking there is a targeted campaign to discredit Mac security. That’s just not the case so far as I can tell and has no basis in fact.
The timing of the Firefox 3 issue is unfortunate – but Mozilla already had a plan to patch Firefox 3 in its first six week as part of its regular stability and security sweep that it has always done. Frankly I’m glad people like Tipping Point (and the people they pay) find bugs – ultimately it makes software safer for all of us since it’s better that the good guys find the issues isn’t it?