Firefox burns the midnight oil - fix ready already!

Filed Under: Malware, Vulnerability

Mozilla, the makers of Firefox, have responded vigorously to yesterday's stories of a vulnerability in the popular browser. The exploitable vulnerability became hot news when it was reported that no less than the Nobel Peace Prize website was using it (inadvertently, of course) to distribute a Trojan horse called Troj/Belmoo-A.

The bug, now officially known as CVE-2010-3765, has already been fixed and an update for Firefox 3.6 is already available.

The vulnerability allowed carefully-ordered Javascript operations embedded in a webpage to trigger an exploitable buffer overflow. Browser overflows which lead reliably to remote, and therefore untrusted, code execution can almost always be abused to bypass existing security features - for example, allowing a file to be downloaded and launched without asking or even informing the user.

Well done to Mozilla for the speed of their response.

They've reacted so quickly in this case that they have beaten the Mitre Corporation - maintainers of the CVE vulnerabilities database, bankrolled by the National Cyber Security Division of the US Department of Homeland Security - by publishing the fix before the CVE site has even documented the bug.

The only question remaining is: should you roll out the update?

Do you still have change control procedures which require you to wait a minimum of, say, three weeks for an important fix like this? And, say, three months for something not quite so critical? Timeframes like this are still by no means atypical - though they seem dangerously long in the harsh light of modern cybercriminality.

The Mozilla chaps have bust a gut to get this sorted out within three days (two, actually), so - as long as you have a decent capability for rolling back changes - it's probably worth thinking about how you can introduce a three-day change cycle for emergencies, too.

Where computer security is concerned, the day is the new week!

, , , , , , , , , ,

You might like

3 Responses to Firefox burns the midnight oil - fix ready already!

  1. SeanR · 1769 days ago

    Well done for shutting this door so quickly!
    Oh, and
    First Post!

    • Congrats Sean on being the first commenter. Sorry there's no prize - we spent all that budget on the logo.

    • Congrats Sean on being the site's first commented - but don't fool yourself that there's a prize for being number one. We spent all that budget on the logo.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog