With the annual Pwn2Own hacking event due to kick off tomorrow, Mozilla has confirmed that Firefox 3.6 has an unpatched critical vulnerability. The fact that Pwn2Own competitors will not be able to exploit this vulnerability to claim the Firefox hacking prize will be of no interest to the millions of ordinary users who think they remain exposed and vulnerable until a patch arrives at the end of the month. But they could get protected right now if they wanted, and without changing browser clients as suggested by the German government.
The vulnerability has already been patched by Mozilla developers, according to an official posting who adds that this is "currently undergoing quality assurance testing for the fix" and so will not be made generally available until the scheduled Firefox 3.6.2 release on March 30th. However, Mozilla says that "users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here". Mozilla also recommends that people testing the 3.7 development builds "should upgrade to 3.7 alpha 3 or the latest nightly build" in order to ensure that they have this fix.
Meanwhile, according to SC Magazine the German government has "advised users not to use Mozilla Firefox" because of the flaw. Could this be the start of the downfall of Firefox? I'm certainly getting a lot more email these days from people who have made the move first from MSIE to Firefox and now to Google Chrome and seem particularly happy with the combination of speed and security that is offers, for now. How they will react when the inevitable first really big Chrome security hole appears remains to be seen. In the world of browser client security the mantra appears to be the bigger they are the harder it is not to fall, as market share attracts hacker attention. Chrome will, as it continues to gain momentum and market share, discover this soon enough I suspect. That said, so far I've been very impressed with the newest client on the block.
Of course, going back to Pwn2Own, it's not the first time that Firefox has been in trouble here. While Chrome has, so far, stood alone as secure in the face of the Pwn2Own hackers with even the Mac getting hacked in under 10 seconds last year.