Mozilla has finally acknowledged the existence of a zero day flaw in Firefox 3.6, after lacking enough information to confirm it for nearly a month. A patch for the vulnerability has been included in Firefox 3.6.2, which is scheduled to land on March 30.
On February 19, we reported
that a security researcher named Evgeny Legerov has released working exploit code for a previously unknown remote code execution bug in Firefox 3.6. The exploit was included in VulnDisco, an add-on for a professional exploitation framework called Immunity CANVAS.
Mr. Legerov, who is the founder of Moscow-based vulnerability research firm InteVyDis, has clearly expressed his disagreement with what is known as the "responsible disclosure policy" in the security industry. According to him, the practice of notifying vendors in advance of going public with information about new vulnerabilities is the equivalent of quality assurance work for free.
Secunia was the first to issue an advisory
about the unspecified remote code execution bug allegedly discovered by Legerov. Mozilla responded by stressing that it did not have enough information to replicate the alleged issue and confirm the report, which led to some people accusing the vulnerability intelligence company of fueling a hoax.
However, in a statement posted on its Security blog yesterday, Mozilla announced that in the end the security problem proved to be a very real threat. "The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix," the company said
Secunia also came out to explain its position on this incident. "We consider Evgeny Legerov a credible source and he has cooperated with us on a number of occasions when we contacted him with questions for additional information during our verification process. He has similarly cooperated with other players in the security industry and software vendors. So far, he has not given us any reason to doubt him and, unless he one day does, we will continue to consider his vulnerability reports credible," Carsten Eiram, the company's chief security specialist, commented
He went on to say that a researcher's failure to adhere to responsible disclosure practices was not a strong enough reason to dismiss their findings and that Secunia made it a point to thoroughly verify each report before releasing an advisory. "There is a reason that Secunia is considered the most reliably source of Vulnerability Intelligence and has an almost flawless track record. So, unless you see hard evidence [...] that what we've posted is 'fake' or 'a hoax', then you can safely trust that since a Secunia advisory was issued, the vulnerability is real," Mr. Eiram concluded.
Firefox 3.6.2, which addresses this vulnerability, is scheduled for release on March 30, but a beta version can be downloaded from here
Firefox 3.6.2 was released on March 22, one week earlier than expected. You can download it
from our secure servers.Correction:
For the benefit of more clarity, we have changed the wording in the first and fourth paragraphs to reflect that Mozilla did not dismiss, but rather did not confirm Secunia's report.