Those results have been nothing short of awesome. In the first week that the project has been live, we’ve seen 10 million people click through from our page to Adobe’s update site. As Ken points out, this is not just a huge number, it’s also about 5x higher click through than that page typically sees.

We’re continuing to look for ways to help our users stay safe and up to date. We’re working to roll other plugins into our web-based checking, and the Firefox team is also building an integrated check that will let you know whenever a site you visit is trying to use an outdated plugin (more on that soon). This is just the beginning.

Johnathan Nightingale
Human Shield

Ken Kovash and Eric Hergenrader surveyed users who have update-checking enabled but repeatedly chose not to update from Firefox 2 to Firefox 3. Read their posts: Why People Don’t Upgrade Their Browser – Part I and Part II. It’s great to understand why these people continue to use Firefox 2 even when it is no longer receiving security updates.

Impact

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default.  Only users that have installed “flat” packed add-ons are at risk.  Discussion about “flat” packaged add-ons is here.  A partial list of “flat” packed add-ons is available here.  If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

This bug is tracking the additional information:

https://bugzilla.mozilla.org/show_bug.cgi?id=413451

Status

Based on this new information Mozilla has changed the security severity rating to high.  A fix is included in Firefox 2.0.0.12 which be available shortly.

This issue was patched in only six (or 6.25 according to John O’Duinn) days. When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks you guys, for helping destroy the economics of malicious exploit development.

http://www.mozilla.org/security/announce/2007/mfsa2007-28.html

Get Firefox 2.0.0.6 here.

Read the release notes for Firefox 2.0.0.6 here.

Congratulations and thank you to the dev, QA, and build teams, and all the community members that worked so hard to get this fix out quickly to our users.

This patch for Firefox prevents Firefox from accepting bad data from Internet Explorer. It does not fix the critical vulnerability in Internet Explorer. Microsoft needs to patch Internet Explorer, but at last check, they were not planning to. Mark Griesi is quoted in Infoworld saying “We don’t feel that there’s an issue in IE, and therefore, there’s nothing to be fixed.”

Mozilla recommends using Firefox to browse the web to prevent attackers from taking advantage of this vulnerability in Internet Explorer.

Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. This could result in a critical security vulnerability.

The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link. That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes. This can cause data to be passed accidentally from the malicious web page to the second Windows program. In the specific attack described in the report, Internet Explorer sends URL data to Firefox. If the data is crafted a certain way it will allow remote code execution in Firefox.

A similar interaction between Safari and Firefox was reported earlier and fixed by Apple. According to Ryan Naraine at ZDNet, Microsoft is not planning to release a patch at this time.

Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to mitigate the problem. This will prevent IE from sending Firefox malicious data. Other Windows programs may also be vulnerable to bad data being passed from IE although we are not aware of any at this time.

It is important to note that if you are using Firefox to browse the web you *are not* vulnerable to this attack. While we have seen no evidence of attackers exploiting this issue, there is proof of concept code available publicly. So we recommend that people use Firefox and as always take care when browsing unknown websites.

We appreciate the work of the security researchers who identified this issue and the thousands of Mozilla community members who test patches and enable us to ship fixes so quickly. Mozilla is committed to identifying, prioritizing and fixing bugs to deliver the safest online experience for its users. We fix all bugs with any security risk as part of our commitment to security.

We spend a lot of time thinking about how we can get fixes out faster to users. But the window of risk is actually determined by two factors. The first is the time it takes us to create a patch, let call this Time to Fix. This includes the time to investigate a security issue, develop and test a fix, and finally ship the update. This is a better measure for understanding how safe a user is going to be than simply counting bugs.

But there’s another aspect to getting the fix to the user that often goes overlooked. That is the Time to Deploy. Time to Deploy is how long it takes for users to get a patch installed once the fix is available from the vendor. Auto-update has gone a long way toward minimizing Time to Deploy for Firefox, but there are still areas on which we can improve.

This chart shows how long it took for users to move from 1.5.0.5 to 1.5.0.6 last year:

This shows that it took eight days for about 90 percent of Firefox users to get updated. When I saw this last year I thought it was pretty fantastic. Firefox has millions and millions of users. Getting almost everyone updated in just eight days seemed pretty incredible to me.

I ran the numbers again this year after we shipped 2.0.0.4.

This chart shows how long it took for users to move from 2.0.0.3 to 2.0.04 last month:

This time it only took six days to update 90 percent of users. That’s a 25 percent decrease in Time to Deploy and a significant improvement in reducing the window of opportunity for attackers to take advantage of security vulnerabilities. It appears that some of the improvements in infrastructure have contributed to these numbers so a big thank you to everyone working in IT and to our partners that host mirrors. You’re helping to keep Firefox users safe.