That's what I thought, the "execute arbitrary code" ones usually are.

Also, this may not even work on Window$, as per the blog and comments posted ... it is not reproducible.

Could you elaborate a bit, please? Is it your gut feeling or do you have statistics to back that up? I'm not attacking your claim, I'm just honestly curious as to how you've reached this conclusion.

From what I've seen so far, all we know is that the written 'exploit' is for Windows. There's nothing to suggest that the underlying 'vulnerability' isn't more widespread.

Well, think about it, "execute arbitrary code", how could this harm your system and what kind of code could it be. By far, statistically, the majority of malicious code is written for Window$, I doubt anyone anywhere will debate that. Furthermore, say you were running this arbitrary code on Linux, what is the worst it could do ? Erase your home folder, read your user's files and send them off, and that's about it. Now, what about on Window$, especially since most people run in admin mode ... it can do a lot more damage, it can install viruses, a rootkit, delete everything on the HDD, maybe even damage hardware. There also exist many bugs in the Window$ kernel that M$ fails to patch, these can be easily exploited even in user mode. Furthermore, when I see "execute arbitrary code" in a web browser context this means ActiveX in most cases, and this truly is dangerous, and Window$ only.

Well, you could just say it's a gut feeling, but not completely unsubstantiated.

Okay, I was actually kind of hoping it was more than a gut feeling. It would be very interesting to know whether arbitrary code execution vulnerabilities in Firefox are more prevalent for certain platforms. The potential effects of exploiting those vulnerabilities (and the circumstances in which they are exploited) is a completely separate issue which isn't what I was asking about. I might look into this matter if I get some free time. Thanks for the reply.

Every article I've seen on this is very vague, and the comments always mention the distinct possibility that it is a hoax. Well, even if it wasn't I bet it has something to do with activex.

Since when does Firefox do ActiveX?

Yeah, it doesn't, oh well.

That's what I like about Firefox, none of that Active X crap.

Well, technically there is an activex plugin for FF ... who know who's crazy enough to use it ...

I certainly would never use it. Active X controls are part of what makes IE a piece of crap for a browser, and makes Windows vulnerable to viruses. That's what I like about Mint and Linux in general, you don't have to go through the daily routine of scanning your system and still get infected, regardless of how careful you are.

Update on Secunia Advisory SA38608
 

Complete Post [mozilla.com]

Mozilla To Fix Vulnerability Claimed To Be Fake...
 

Complete Post [secunia.com]

Look, for the most part, this is only going to affect Windows users. Mozilla a taking a unfair beating here. It seems perfectly fine that a billionaire corporation (Micro$oft) doesn't release a browser on a regular basis, and IE8 is the same piece of crap that it was a year ago. Mozilla, a corporation largely funded by donations and staffed by volunteers, releases a new browser on a regular basis. They are constantly hard at work fighting a billionaire corporation for market share. I feel far more secure with Firefox than with IE, even on FF's worst day. When there's a problem with FF, they give us a way to report it, they do have to find a workaround for the problem. Remember here, there's not dozens of programmers at Mozilla making six-digit figures, sitting around drinking coffee, then after lunch, going to play golf, like at Micro$oft. The Mozilla staff is hard at work every day, making progress every day, on a shoestring budget. If you don't feel that you're secure with FF, install Wine and use IE6 for a while. I have it on Mint 8 (64 bit), and can't even get the damn thing to update, although there are two critical updates for it. After a couple of days of using that piece of crap, there will be a renewed appreciation for FF.

Uh, why are you getting all defensive about this? Besides, AFAIK it wasn't Mozilla that was taking a beating, it was Secunia. Mozilla had even gone ahead and let it be known on their security blog that they had no idea what the problem was.