When Mozilla's Firefox 3 hit desktops June 17-to the tune of some 8.3 million downloads within the first 24 hours of its release-it arrived with a number of new security features in tow. However, the browser has already caught its first bug, a non-OS-specific vulnerability rated critical by security vendor TippingPoint Technologies.
Though neither TippingPoint, which disclosed the bug to Mozilla privately, nor Mozilla are saying much, the security company reported that the vulnerability requires user interaction and can lead to remote code execution. The bug also affects Firefox 2, and will be addressed with the next security update for both versions of the browser. When asked, Mozilla could not offer a specific date for that.
Window Snyder, head of security for Mozilla, said in an e-mail to eWEEK that there is no evidence that the bug is being exploited in the wild and the risk to users is minimal at the moment because the details of the bug are private. Perhaps that will allow Firefox users to take a slight breath of relief, but the bug's presence also brings browser security back into the spotlight.
Firefox made a point of adding a number of new features relating to security in Version 3, including checking of add-ons to ensure that users have the most current versions available. Most notably, however, the company has joined forces with Google to blacklist Web sites. The company purposefully took that approach, Snyder said, to keep users from accidentally visiting bad sites.
"Known good lists in this context would be inappropriate-the Web is enormous, and attempting to maintain a catalog of every Web site, blocking any that we have not already indexed, would be functionally impossible," Snyder said. "A known good list would also be critically flawed for the scenario where malware authors target legitimate Web sites as hosts by infiltrating advertising networks or exploiting site vulnerabilities."
Firefox 3 leverages Google's phishing and malware databases to check the sites a user visits before loading, she continued. Updates are loaded to a local database about every 30 minutes.
"Since that check is very fast, Firefox can do that before even connecting to the site," she said. "This blocks the load up front, which is safer and makes a stronger statement to the user than just popping a warning up over the loaded page content."
Opera Software went down a similar path with its partnership with Haute Secure in Version 9.5 of the Opera browser, which was released June 12. However, Opera contended that its approach also protects against malicious links and goes a step beyond Firefox and Internet Explorer.
"Other browsers are also introducing their own malware protection features, which is good for users and good for the Internet," Snyder said. "Our own internal testing gives us confidence that the protection in Firefox 3 will keep our users safer than they ever have been on the Web."