Mozilla pumped up the publicity for the release of its Firefox 3 browser, and now flaw finders appear to be doing the same.
Less than 24 hours after the company released its open-source browser, at least three researchers have claimed to have found flaws in the software. In the most credible case, the Zero-Day Initiative, a vulnerability-bounty program sponsored by 3Com's TippingPoint security subsidiary, announced on Wednesday that an unidentified participant submitted a critical flaw in Firefox 3 about five hours after the official release of the open-source browser. TippingPoint has confirmed the flaw and Mozilla is currently investigating the issue, according to statements made by the companies.
"We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after," TippingPoint stated in a blog post. "Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page."
Two other researchers claimed on security mailing lists to have found additional flaws. A hacker using the name "Hexapode" claimed to have found an unspecified boundary condition error. Another researcher claimed on the Full-Disclosure mailing list that Firefox 3 would open certain applications without first warning the user.
Finding security holes in the top four browsers has become increasingly popular over the past few years. In June 2007, less than a day after Apple released the beta version of its Safari Web browser for Windows, researchers published details on numerous vulnerabilities in the program. In early 2007, VeriSign's iDefense subsidiary offered a bonus to its vulnerability bounty hunters for any critical flaws found in Internet Explorer 7. Browser makers have consistently focused on using their handling of software bugs as a measure of security.
Researchers have yet to disclose flaws in Opera's browser of the same name, which the company released last week.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos