Firefox burns the midnight oil – fix ready already!


Mozilla, the makers of Firefox, have responded vigorously to yesterday’s stories of a vulnerability in the popular browser. The exploitable vulnerability became hot news when it was reported that no less than the Nobel Peace Prize website was using it (inadvertently, of course) to distribute a Trojan horse called Troj/Belmoo-A.

The bug, now officially known as CVE-2010-3765, has already been fixed and an update for Firefox 3.6 is already available.

The vulnerability allowed carefully-ordered Javascript operations embedded in a webpage to trigger an exploitable buffer overflow. Browser overflows which lead reliably to remote, and therefore untrusted, code execution can almost always be abused to bypass existing security features – for example, allowing a file to be downloaded and launched without asking or even informing the user.

Well done to Mozilla for the speed of their response.

They’ve reacted so quickly in this case that they have beaten the Mitre Corporation – maintainers of the CVE vulnerabilities database, bankrolled by the National Cyber Security Division of the US Department of Homeland Security – by publishing the fix before the CVE site has even documented the bug.

The only question remaining is: should you roll out the update?

Do you still have change control procedures which require you to wait a minimum of, say, three weeks for an important fix like this? And, say, three months for something not quite so critical? Timeframes like this are still by no means atypical – though they seem dangerously long in the harsh light of modern cybercriminality.

The Mozilla chaps have bust a gut to get this sorted out within three days (two, actually), so – as long as you have a decent capability for rolling back changes – it’s probably worth thinking about how you can introduce a three-day change cycle for emergencies, too.

Where computer security is concerned, the day is the new week!