You may have noticed that we released Firefox 3.6.12 and 3.5.15. If you are running Firefox, please update! The release contains a single fix (read more about in the release notes). The fix addresses an issue relating to the Nobel prize website that has gotten a bit of coverage:
I wanted to share a little more detail about the release and Mozilla’s response to the issue. I also wanted thanks those that made these releases happen quickly yet-again.
The (impressive) release schedule went like so:
- A new trojan was created on Sunday (based on the link date in the exe)
- Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The report came in on Monday night @ ~9:00pm PDT
- Many engineers were up investigating the issue all Monday night
- We had Google block the page serving the malware within a couple of hours on Monday night. They responded extremely quickly. Users visiting the known exploit site at that point were warned via Firefox’s built-in Phishing and Malware Protection
- We sent the new malware to AV vendors and they had started working on signatures on Monday night PDT
- A fix to the underlying Firefox issue was found, reviewed, changed, re-reviewed, and landed on Tuesday for all branches
- Builds were created by Release Engineering Tuesday evening and QA confirmed the fix that night as well
- QA powered through tool and DNS issues to qualify the update Wednesday morning
- We released 2 fully localized products (3.5.15 & 3.6.12) on 3 platforms (Windows, Linux, Mac) with the fix Wednesday afternoon
That is less than 48 hours from the point Mozilla became aware of the issue to fixes available to end-users. WOW! What’s even more amazing is there are places we can get even faster without sacrificing the stability our users come to expect.
Thanks to everyone for the late nights, hard work, and solid fixes!
(see this post for the title reference)