Hoax or not? Firefox 3.6 vulnerability
It all started with a posting at the IMMUNITY-Forum. Evgeny Legerov reported about a new commercial Firefox 3.6 exploit. The posting dated 2010-02-01. At 2010-02-03 Mario23 posted:
“I’ve bought VulnDisco 9.0 and tested the FireFox 0-day-exploit. It did NOT (!!!) work…”
He was concerned, that post could be a hoax, which also Secunia bought into by releasing an advisory. The advisory dates 2010-02-18. So obviously there is a little problem with the dates of the postings.
Nothing more hard facts to report, yet. First websites reported about the new vulnerability. Now the word “hoax” spreads out. Mozilla Security Blog didn’t confirmed the vulnerability either and the suspicion it could be a hoax was postet at the IMMUNITY-Forum two days after the first posting. The biggest question for the moment: Hoax or not?
So far the forum-postings and a Twitter-account are the only real sources. Both belong to Evgeny Legerov. That is the problem with this particular vulnerability. Secunia CSO Thomas Kristensen told me the following:
“This particular report is a bit special because of the lack of information available. Normally, we do not write about vulnerabilities unless certain details are available and / or we can test it. (…) and previous vulnerabilities reported by this company / person has proved to be reliable.” That’s why the Advisory uses the term “reportedly”.
Evgeny Legerov stated at his blog yesterday:
http://intevydis.blogspot.com/2010/03/firefox-hoax-or-not_04.html
Mozilla Update on Secunia Advisory SA38608
Secunia made the right choice…