First reports of a Firefox 3 vulnerability

A group of researchers collaborating on behalf of security firm TippingPoint has claimed it has written a report concerning a "critical vulnerability" in the just-released Firefox 3.0, and has presented that report to the Mozilla organization.

The nature of the vulnerability has not been publicly released, and TippingPoint states its policy is to notify the vendor first.

This much was said in a blog post yesterday afternoon: "We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code." It added that some social interaction with the user was required, as with commonly deployed exploits elsewhere, to compel her to click on a link that triggers the delivery of the malicious payload.

TippingPoint added it received news of the vulnerability from a researcher who volunteered that information under its DVLabs program. Through that program, independents are invited to present vulnerabilities they find, and may be offered money for that information.

The amount of money offered, according to TippingPoint's publicly stated policy, depends on the level of deployment of the affected product. "The amount we offer to a researcher for a particular vulnerability depends on the following criteria," begins the firm's list. The first item on that list reads, "Is the affected product widely deployed?"

Arguably, the wide deployment of the final release of Firefox 3.0 was zero up until last Tuesday, after which it eclipsed nine million. TippingPoint lists its vulnerability report at the top of a list of upcoming advisories, which shows the firm's report was written on Tuesday, the very day of FF3's record-breaking public release, and not one day before.

Late yesterday, Mozilla security chief Window Snyder acknowledged having received the report from TippingPoint. "This issue is currently under investigation," she wrote. "To protect our users, the details of the issue will remain closed until a patch is made available."

Members of some independent Firefox users' blogs this morning noted that Mozilla's typical response time for discovered vulnerabilities during Firefox 2's lifecycle was about ten days.

BetaNews has contacted Mozilla's California-based representatives for comment this morning, which may be forthcoming.