Russian Security Researchers Find Critical Security Hole in Firefox 3.6
The latest and greatest version of the Firefox developed web browser is Firefox 3.6, which was released as a final, stable software application this January. Firefox 3.6 comes with more features, more speed and better security – but this is not to say there aren’t security holes that can be exploited. As security researchers from various security companies have always said, no browser is 100% safe.
Speaking of which, Russian security experts from Intevydis managed to uncover a previously unknown security hole in Firefox 3.6. They managed to exploit the security hole in the Windows version of Firefox 3.6 and remotely take control of the targeted machine. The good news is that the exploit does not affect the Mac OS and Linux versions of Firefox 3.6.
The vulnerability has been given the critical rating by Secunia, Danish company that specializes in providing software for vulnerability management and is best known for tracking the latest security threats and offering info about patches.
Intevydis has made the exploit available to its customers. In case you’re not familiar with the Russian company, it develops the commercial VulnDisco add-on for the Canvas exploit toolkit by vendor Immunity. The only details about the security hole are that it is a buffer overflow vulnerability, and it is a quite reliable. At least that is what developer Evgeny Legerov says on the Immunity forum.
The Mozilla Foundation has released updates for its older browser versions earlier this month – mainly Firefox 3.0.18 and 3.5.8. No update has been released for Firefox 3.6 since the browser was rolled out last month. We can only assume that the hole is still open, but knowing the Mozilla Foundation, they’re working on a fix as we speak.
In related news, if you are a Firefox fan you could show your love by voting in the browser 2010 About.com Reader’s Choice Awards. You should hurry up though, there are just 2 days left to vote.
UPDATE 24 February 2010: Mozilla said it is aware of the fact that Firefox 3.6 is plagued by a critical security bug. “We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response,” said Mozilla's Lucas Adamski.
Speaking of which, Russian security experts from Intevydis managed to uncover a previously unknown security hole in Firefox 3.6. They managed to exploit the security hole in the Windows version of Firefox 3.6 and remotely take control of the targeted machine. The good news is that the exploit does not affect the Mac OS and Linux versions of Firefox 3.6.
The vulnerability has been given the critical rating by Secunia, Danish company that specializes in providing software for vulnerability management and is best known for tracking the latest security threats and offering info about patches.
Intevydis has made the exploit available to its customers. In case you’re not familiar with the Russian company, it develops the commercial VulnDisco add-on for the Canvas exploit toolkit by vendor Immunity. The only details about the security hole are that it is a buffer overflow vulnerability, and it is a quite reliable. At least that is what developer Evgeny Legerov says on the Immunity forum.
The Mozilla Foundation has released updates for its older browser versions earlier this month – mainly Firefox 3.0.18 and 3.5.8. No update has been released for Firefox 3.6 since the browser was rolled out last month. We can only assume that the hole is still open, but knowing the Mozilla Foundation, they’re working on a fix as we speak.
In related news, if you are a Firefox fan you could show your love by voting in the browser 2010 About.com Reader’s Choice Awards. You should hurry up though, there are just 2 days left to vote.
UPDATE 24 February 2010: Mozilla said it is aware of the fact that Firefox 3.6 is plagued by a critical security bug. “We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response,” said Mozilla's Lucas Adamski.
