Mozilla, the makers of Firefox, have responded vigorously to yesterday’s stories of a vulnerability in the popular browser. The exploitable vulnerability became hot news when it was reported that no less than the Nobel Peace Prize website was using it (inadvertently, of course) to distribute a Trojan horse called Troj/Belmoo-A.
Well done to Mozilla for the speed of their response.
They’ve reacted so quickly in this case that they have beaten the Mitre Corporation – maintainers of the CVE vulnerabilities database, bankrolled by the National Cyber Security Division of the US Department of Homeland Security – by publishing the fix before the CVE site has even documented the bug.
The only question remaining is: should you roll out the update?
Do you still have change control procedures which require you to wait a minimum of, say, three weeks for an important fix like this? And, say, three months for something not quite so critical? Timeframes like this are still by no means atypical – though they seem dangerously long in the harsh light of modern cybercriminality.
The Mozilla chaps have bust a gut to get this sorted out within three days (two, actually), so – as long as you have a decent capability for rolling back changes – it’s probably worth thinking about how you can introduce a three-day change cycle for emergencies, too.
Where computer security is concerned, the day is the new week!