It's nice to see that the security researchers are taking notice of FireFox's increased share of the market and responding appropriately: http://blogs.zdnet.com/security/?p=1288
This is interesting on many levels . . . here we have a free, open source browser and I'm just guessing that this un-named researcher found this vuln ages ago and deliberately held off on releasing it until FF 3.0 went RTW so he/she could test it out against the RTW bits so that he/she could sell it to ZDI and get paid. Sure you COULD find the vulnerability and contribute the fix back to the OSS community for free . . . or you could get paid. Hmmmm . . .
And again - if you're running FireFox 2.x or 3.x on Vista - that seems unwise . . . you'll actually be LESS safe than you would with IE7 on Vista if you have UAC enabled. Think about it . . .
Okay okay - so you still want to use FF 3.0 on Vista - at least force it to use DEP (permanent) via the ExecuteOptions reg value or something . . . sheesh.
I'd give you the .REG script to do it here but don't feel like downloading FF 3.0 at the moment, so forcing FF 3.0 to use DEP (permanent) is left as an exercise to the reader.
EDIT: An astute blog reader willing to install FF 3.0 on Vista pointed out that it seems to have opted-in to DEP all by itself. Hooray Moz! That's good stuff.
Welp the gauntlet has been thrown down . . . with the release of IE 8 possibly only months away . . . will we be able to beat the ~5 hour mark on release day and "follow in Moz's foot steps"? I certainly hope I don't have to FOGA IE8 on release day. That would suck. 🙂