http://wiki.moztw.org/index.php/Firefox_FAQ ▏▎▍▌▋▊ Firefox FAQ ─────────────────────────────────────── http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla- firefox-30/ http://0rz.tw/074hp= 不想看英文的可以直接看下面重點 Mozilla Firefox 3.0 Vulnerability By Zero Day Initiative A number of people who monitor our Zero Day Initiative's Upcoming Advisories page noticed yesterday that we reported a vulnerability to Mozilla (ZDI-CAN-349). Taking into account the coincidental timing of the Firefox 3.0 release, many are asking us if this is the first reported critical vulnerability in the latest version of the popular open source browser. What we can confirm is that about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page. While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy. Once the issue is patched, we'll be publishing an advisory here. Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well. --- 重點就是 1. Fx3正式版在release之後的五個小時就被人匿名通知此zero day vulnerability 2. 這個漏洞要點惡意連結或是瀏覽惡意網站才會中獎 3. Fx2也有這個漏洞，不知道為什麼匿名通知者到現在才公布 4. Mozilla已經在著手修復這個漏洞 -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 140.115.221.3