"He's a regular contributor to our program," she said. Don't click on links in e-mail, make sure the operating system is up to date, and don't visit unsafe sites."įorslof added that the researcher, who has chosen to remain anonymous, is someone TippingPoint has worked with before. "This is in the same line as lots of other browser vulnerabilities," she said, "so the advice is in the same line, too. Mozilla didn't provide additional information or offer recommendations for users, but Forslof was willing to do so. "Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well," TippingPoint noted in a blog posting of its own. Yesterday, TippingPoint sounded confident that Mozilla would quickly fix the flaw. She declined to be specific about a timetable. The fix will come in the next security updates for Firefox 2.0 and Firefox 3.0, Snyder said.
"To protect our users, the details of the issue will remain closed until a patch is made available," she said. Snyder confirmed that she had received word from TippingPoint - Forslof said she e-mailed Snyder directly with a heads-up - and that the Mozilla team was looking into the problem. "It's browser specific, only on Firefox, but on Windows, Mac and Linux." "It's not operating system specific," she said. Today, Terri Forslof, TippingPoint's manager of security response, expanded somewhat on the vulnerability's range. Yesterday, however, it noted that the vulnerability would let hackers execute remote code - making the bug a critical flaw - and that it would require some action by the potential victim, such as clicking on a link in an e-mail message or visiting a malicious or compromised site. Snyder was responding to news yesterday that 3Com Corp.'s TippingPoint, a security vendor that runs the Zero Day Initiative bug bounty program, had purchased a critical Firefox 3.0 vulnerability from an unnamed researcher and then forwarded information on the bug to Mozilla.Īs per its policy, TippingPoint said it would not release details of the bug until Mozilla has crafted a patch.
0 kommentar(er)
