The Mozilla Foundation has confirmed the existence of a critical zero-day vulnerability in its popular Firefox web-browser - but says a fix won't arrive before the end of the month.
Posting on its official security blog
, the Foundation confirmed a vulnerability which it has "determined to be critical and [which] could result in remote code execution by an attacker.
The good news? The Foundation has already developed a fix, which is currently undergoing quality assurance testing prior to a general roll-out. The bad news? That roll-out isn't due for at least a week, potentially leaving Firefox users vulnerable to attack.
The bug, originally discovered by security researcher Evgeny Legerov last month, was posted publicly but without the code required to carry out an attack. However, it appears that Legerov was reticent to provide detailed information to Mozilla - with ARN
pointing to a now-deleted post on the researcher's blog admitting to "ignoring e-mails
" from the foundation and refusing to provide enough detail for the Foundation to reproduce the exploit.
Thankfully, the Foundation says that Legerov has now provided "sufficient details to reproduce and analyse the issue,
" meaning the flaw can be fixed and the patch prepared for a planned 30th of March roll-out. Those who are itching for a fix and don't mind running code that isn't as well tested as a standard release are advised to grab a copy of the nightly build
of Firefox 3.6.2, which contains the patch to prevent the exploit from running.
Are you disappointed to see the Mozilla Foundation taking so long to patch a vulnerability in its browser software, or is it important that the patch is fully tested before being rolled out? Could the zero-day nature of the exploit have been prevented if Legerov had followed responsible disclosure guidelines? Have your say over in the forums