A critical Firefox vulnerability that could result in remote code execution was disclosed a month ago by Evgeny Legerov, the founder of Moscow-based Intevydis, renowned lately as a serious critic of the “responsible disclosure” policy.
According to InfoWorld, he disclosed the existence of the flaw on a public forum, but not the attack code. At first, he fended of questions and requests from Mozilla to disclose the details, but finally relented a few days ago, sending enough details to enable them to analyze it and set up a fix.
Mozilla confirmed the existence of the vulnerability that affects version 3.6 of its popular browser and is currently testing the fix. The patched 3.6.2. version will be made available 8 days from now. Users are urged to upgrade Firefox to the beta of version 3.6.2 in the meantime, containing a temporary fix for the flaw.
For those wondering if the exploitation of this vulnerability will be permitted in the upcoming Pwn2Own hacking contest, the answer is – no. Aaron Portnoy with 3Com TippingPoint (the sponsors of the contest) says that the company will have their entire research team present and will do their best to ensure that known issues aren’t used.