TippingPoint vulnerability patched in Firefox 3.0.1 and 2.0.0.16
07.16.08 - 02:15pm
Issue
A vulnerability in the way Firefox handles CSS allows an attacker to take advantage of an integer overflow and execute arbitrary code. In order for the attack to be successful a user must browse to a malicious site. The advisory is available here.
Impact
This critical vulnerability was reported to Mozilla before details were available publicly. By keeping the details of the issue private until the issue was patched, TippingPoint and Mozilla were able to keep the risk to users minimal.
Status
This issue is patched in Firefox 3.0.1 and 2.0.0.16 which are now available. Users will be prompted to install the update through the automatic update feature. If you would like to update now, select “Check for Updates” from the Help menu.
Credit
An anonymous reporter found this vulnerability and reported it to TippingPoint. TippingPoint reported it to Mozilla.
So “10 fucking days” has slipped to “One fucking month”?
As I mentioned in an earlier post (http://blog.mozilla.com/security/2007/08/06/mike-shaver-ten-days-and-expletives/) we try to fix security vulnerabilities as quickly as possible, but are not working with 10 days (or any other specific time frame) as our goal.
This issue got a bit of attention, but it is about the same risk to our users as an issue of the same severity found by an internal Mozilla tester. Since the details were not made public, the risk to users is minimal. We still work hard to get those fixes out as soon as possible, because that is the best way to keep users safe.
Some of us would prefer not seeing the childish use of potty words by your less mature users. Perhaps,you would consider blanking (yes, censor their little tirades) their nasty little comments, which add nothing of value to the message.
I feel certain you do everything possible to keep up with all the latest virus threats, etc., and some of us do appreciate it.