Critical Update Followup

On Saturday, I reported on the first Critical Update for Firefox. In addition to being pleased with the rapid response and integrated update notification, I was concerned about the fact that almost no detail was given on the vulnerability, either in the update tool or on any of several Mozilla websites. At the time, I said the following:

So there’s some kind of file download exploit possible, but the details are omitted. I’m no security expert, but I though best practice was to release as much information as possible. I don’t mind that Firefox has a vulnerability; no software is perfect. I’m impressed by the level of response and the integrated update system. At the same time, I’d rather see more information about the problem and solution (or even a link to same) than statistics spin.

On Sunday or Monday, I came accross the Bugzilla Bug# for the vulnerability (probably via Burning Edge). When I tried to click through to view the bug report, I got a big red screen with a message indicating the bug was permissioned, and I didn’t have perms to view it. This was something I’d not seen before at Bugzilla, and I’d intended to blog about it here.

Today there’s more information. Early this morning, Burning Edge reported “Bug 259708 fully disclosed”. I’ve now read bug 259708 and the comment thread, and I have to say I was wrong. The bug in question was pretty nasty, and would allow a download link on a web page (assuming you choose to save the file) to delete every file in the target directory. Ouch! The Mozilla folks decided to restrict access to the specifics while a patch was cranked out. They also decided to wait a couple days for the patch to be downloaded before disclosing the bug, allowing users to put a fix in place. The team acted quickly in the best interest of the users, and released all of the information in a timely manner without further jeopardizing users’ data.

Nice Job, Guys.

Both comments and pings are currently closed.

One Response to “Critical Update Followup”

  1. jman Says:

    But why is firefox “checking in”?<br/>

    I actually saw this bug in action for quite some time, however what is firefox doing redirecting my browsing. In other words if I type in “firefox http://some_host.com/path” on my command line, why am I going to mozilla.org? I have the “check for updates” box unclicked so my firefox sessions should NOT being ever going to mozilla.org unless I type in mozilla.org.