TippingPoint announced on Wednesday that, just hours after Firefox was officially released on Tuesday, a researcher notified the security firm of the first publicly known vulnerability in Firefox 3.
According to tracking firm Secunia, the “highly critical” vulnerability is caused by an unknown error and can be remotely exploited to execute malicious code. TippingPoint, which purchased the vulnerability as part of its Zero-Day Initiative program, declined to release specifics until Firefox issues a patch.
The flaw not only exists in the new version of the browser but also affects Firefox 2.0 versions, Secunia said. User interaction is required for exploit, meaning a victim must visit a malicious website or click on a bogus link.
Window Snyder, the security chief at Mozilla, wrote Wednesday on the Mozilla security blog that the company is investigating.
“To protect our users, thedetails of the issue will remain closed until a patch is madeavailable,” she said. “There is no public exploit, the details are private, and sothe risk to users is minimal.”
It is not surprising that a bug was disclosed just hours after Firefox 3 was launched, Terri Forslof, manager of security response at TippingPoint, told SCMagazineUS.com on Thursday. Researchers who discover a vulnerability in prior versions often hold onto it to see if it still affects the new release.
In this case, it did.
Forslof said that as users await a fix, they should follow traditional safe computing practices.
“Don’t click on links in emails from untrusted sources,” Forslof said. “Don’t visit websites that you didn’t directly intend to go to. Just use good common sense while surfing the web.”
Firefox 3 includes enhanced security features, such as blocking sites known to be distributing malware.
Mozilla reported Wednesday afternoon that Firefox 3 had been downloaded some 8.3 million times within 24 hours of its release. The company was shooting for a new Guinness World Record.