Context, the group who publicised the WebGL cross-site image and DoS issues a few weeks back, blogged about a nasty bug yesterday. It appears to only affect Firefox 4 on Mac OS X and Windows XP, but is a serious issue there; essentially, a WebGL page with the exploit could get access to parts of your graphics card’s memory that had been used by other web pages or applications, and so could conceivably get confidential data. The problem was fixed in Firefox 5 beta 5, and the final 5.0 release is expected to come out early next week. So if you’re using Firefox 4 on an affected OS, I would definitely suggest you switch to the beta if you want WebGL, or switch it off for now if you don’t (though I can’t imagine many readers here won’t want it enabled but safe
While it’s certainly a good thing that this bug has been found and fixed, the timing of their release of the information is a bit disappointing. The normal procedure for a reputable security company when they find a bug like this, which could affect many tens of thousands of users worldwide, is to contact the software author with a proof-of-concept, wait a reasonable amount of time for a fixed version to become available, and then to release the information. This system works well for everyone — the software’s users get security patches, the author gets to create a better product, and the security researchers get the publicity of having solved a potentially nasty problem.
In this case, however, Context appear to have released details of the workings of the attack before the fix was available to normal non-beta-using Firefox users — and they say in their blog post that the fixed version is “expected 21st June 2011″, which means that they knew full well that they were doing that. Surely they could have waited for a few days so that normal users could easily upgrade their browsers?
[UPDATE: here's an interesting counterpoint to the Microsoft post by Jeff Muizelaar -- thanks to Stephen White for the link]
[UPDATE: fixed errors in the Firefox 5 beta timeline -- thanks to Benoit Jacob]