Within five hours after the official release, security tool vendor TippingPoint was notified of a "critical vulnerability" affecting Firefox 3.0 and 2.0. The flaw could enable an attacker to run malicious code on a computer, the company said. Like other browser-based vulnerabilities, a person would have to click on a link in an e-mail or visit a malicious Web page to get infected.
The bug was reported to Mozilla, and no other details were released, in order to give the organization time to develop a patch. "Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well," TippingPoint said in a statement.
Mozilla downplayed the threat on its security blog, saying, "There is no public exploit, the details are private, and so the current risk to users is minimal."
Nevertheless, the organization said it was investigating the vulnerability, and would keep the details under wraps until a patch is released.
The flaw was submitted to TippingPoint through its Zero Day Initiative program, under which the company pays security researchers for bugs they submit. Security experts have raised concerns about such programs, saying they set a precedent in which people could start selling their information to the highest bidder, who could end up being a criminal. In addition, there's no guarantee that the information is coming from an ethical hacker.
Another Firefox 3 vulnerability was posted Tuesday on a security mailing list hosted by security consultant Neohapsis. The brief posting warned of a buffer overflow bug in Firefox 3, but provided no details. It was not clear whether the flaw was the same as the one reported by TippingPoint.
An InformationWeek review of Firefox 3 found that new security features designed to protect users against phishing and malicious Web sites were unreliable. From a security standpoint, InformationWeek found Firefox 3 a step backward.
Meanwhile, Mozilla reported more than 8 million downloads of Firefox 3 in the first 24 hours of its release. The organization appeared to have far exceeded its goal of 5 million downloads, which would set a world record. Firefox's main rival is Microsoft's Internet Explorer.