Mozilla confirms critical Firefox bug
Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.
Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.
"The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix."
Firefox 3.6, which Mozilla launched in January, is affected, Mozilla said, adding that it would be patched in version 3.6.2, currently slated to ship on March 30.
The bug was disclosed by Russian researcher Evgeny Legerov a month ago in a message posted on a forum hosted by Immunity, the Miami Beach, Fla. developer best known for its Canvas penetration testing framework. Legerov works for Moscow-based Intevydis, which produces the VulnDisco add-on for Canvas.
Legerov did not publish attack code, and initially refused to provide details to Mozilla, according to a March 4 entry he posted on his blog. "I've ignored e-mails … from Mozilla, please do not waste my and your time anymore," Legerov wrote. The blog has since been deleted, but is still available via Google's cache.
In comments appended to a vulnerability alert published by Danish bug tracker Secunia, several users questioned Legerov's motives for making the announcement, while others chided Secunia for not thoroughly testing the flaw or claimed that it was all a hoax.
Read more: <a href='http://www.computerworld.com/s/article/9173698/Mozilla_confirms_critical_Firefox_bug'>Foxy bug
korg