[Osiris]

Although all the source code of Firefox is public and can be scrutinized during development at any time, a Tipping Point Security Advisory has been announced right in the middle of the Firefox 3 download day.
A unlucky coincidence, of course: only a conspiracy theorist could suspect that the timing had been chosen in order to maximize the hype effect for the Zero Day Initiative.
However Mozilla developers are working around the clock, and there’s already a patch being privately tested. All the information publicly available so far is that this vulnerability allows a malicious web page to trigger the execution of arbitrary code on the client side, and affects Firefox 2, 3 and likely all the products based on the same rendering engines. Technical details and exploitation proof of concepts are being kept private by Tipping Point as well until the patch is shipped, therefore Mozilla users should be relatively safe: after all we can be 99.99% sure every browser out there is vulnerable to something; we just hope that the bad guys don’t know the details yet.
I can add that, even in this case, NoScript users are the safest.

hackademix.net - Giorgio Maone's answers to the Web, the Universe, and Everything

[Mak213]

So now there are 2 known flaws in Firefox 3 that happened on Download Day. :laughing:

There was the one that was found 5 hours into it and now this one. Unless they are the same thing. But still goes to show you that even with the extra RC testing it wasnt ready.

Cheers,
Mak

[Trotter]

No code is ever completely invulnerable. At least they were found quickly and are being fixed.

It amazes me how some of these holes work... "If you twist your arm backwards and cross your eyes while holding your breath and biting on a wintergreen Certs, you have the possibility of clicking a fuzzy link on a broken website written in prehistoric hieroglyphics which could allow a retarded chimpanzee to have access to you Recycle Bin. This flaw has been rated super-duper extremely criticalitious."

[Mak213]

I am not saying that there is code that cant be hacked. Just a shame that they got 2 flaws with brand new code reported on the first day. Even with 3 different RC versions. That just sucks.

[Trotter]

That it does.