Firefox 3.6 affected

Feb 19, 2010 11:58 GMT  ·  By

A Russian security research company has released a working exploit for a previously undisclosed vulnerability in the latest version of Firefox. The zero-day attack code can be leveraged to execute arbitrary code remotely and is confirmed to work on Windows XP and Vista.

The flaw affecting Firefox 3.6, the latest stable iteration of the popular open-source browser, was discovered by InteVyDis, a vulnerability research company based in Moscow. The working exploit code is included in the latest version of its VulnDisco product, an add-on for the professional exploitation framework Immunity CANVAS.

“People who've seen firefox exploit agree with me - it is a really cool bug, it was an interesting challenge to find and exploit it. The exploit needs some work, but it was quite reliable in our testing,” Evgeny Legerov, InteVyDis' founder, wrote in an announcement on the Immunity Community Forum. Additionally, Secunia rates this vulnerability as “Highly Critical” and classifies it as a remote code execution vulnerability.

The exploit released by the Russian company is confirmed to be working on Windows XP and Vista, but that doesn't necessarily mean that Firefox on other platforms is not affected. When asked about Windows 7 reliability, Mr. Legerov replied on Twitter that “we did not test it on win7, working on mac os version atm.”

At the beginning of this year, InteVyDis announced that it would no longer adhere to what is known in the industry as the responsible disclosure policy. This set of guidelines state that affected vendors should be made aware of security bugs and be given reasonable time to address them before going public. Mr. Legerov's and his company's position is that this “allows vendors to exploit security researchers to do QA work for free.”

Even though for now, people will have to pay in order to get their hands on the attack code, it's safe to assume that it is just a matter of time until it gets leaked to the masses. In that case, it all comes down to how fast Mozilla will be able to release a fix.

According to The Register, for the time being, the browser maker had this to say: "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users."