A medium-large bit of news this week is a potentially serious exploit in the shiny new freshly-released Firefox 3.5, which was released, discovered, and fixed nearly all at the same time:
"Mozilla's Firefox 3.5.1 browser is now out with fixes for one critical zero-day vulnerability that first became public earlier this week.
The zero-day flaw is a vulnerability in Firefox 3.5's Just-in-Time (JIT) JavaScript compiler. Mozilla's security advisory describes the vulnerability as "an exploitable memory corruption problem.""
Even though this is a potentially serious security hole that could possibly allow a remote attacker to take control of the user's PC, the Firefox team were praised for taking rapid action and early disclosure, and reporting a workaround to plug the hole until it could be fixed permanently. Another open source security success story!
Except for one thing-- of all the news stories I read, and the announcement on Security Focus, and the announcement on the Mozilla Security Blog itself, none of them bothered to report if this dastardly flaw affects Linux, Mac, and Windows, or just Windows, which naturally is the default assumption. Yo Firefox persons-- you do know it is a cross-platform application, don't you?
So I spent a good part of my morning reading and calling people, and finally unearthed this little nugget buried in the comments on the Mozilla security blog:
"44. Daniel Veditz {Thursday July 16, 2009 @ 12:30 am}
@DJ, @Kevin: the underlying bug happens on all platforms. The proof-of-concept exploit posted to milw0rm contained a windows-only payload, but it wouldn't be too hard for someone to graft on Mac and Linux payloads from the Metasploit project and make it cross-platform."
I'm trying to not yell and swear, but why isn't this information front and center? What should Linux and Mac users do, run around in a panic like Windows users, and hope we have current uninfected backups? How much of a threat is it really on Linux and Mac? We know that Firefox's Javascript engine is the same one on all three platforms. We know that Linux has genuine privilege separation and it is very hard to execute remote code on a Linux system. If you further confine privileges with SELinux, or set up a guest on a virtual machine you can download and execute malicious code all day just to watch it wiggle helplessly. (The code for this exploit, which is not really an actual exploit but a proof-of-concept, is at milw0rm.com/exploits/9137, without a payload)
Like most Firefox users, I am neither an ace coder nor a security guru whiz, so I don't know the answers. Anyway it's your job to tell us what we need to know.
Firefox folks, you can't have it both ways-- you can't dole out little nuggets of incomplete information and expect us to be informed users who do the right things to keep our systems safe. I happen to know for a fact that you do not get charged by the word, so please use a few more words and always give us complete information. Thank you.
