Disclosing Firefox add-on vulnerabilities – why this week?
A vulnerability related to commercial add-ons (or extensions) of software vendors, which do not have their extensions hosted on https://addons.mozilla.org, was reported on 30th May.
The answer is simple, the final release week of Firefox 18.104.22.168 and 22.214.171.124 was publicly reported by Mozilla Foundation and several news sources in April. This was expected, because the supported state of FF 1.5.x reportedly ends in May too. I.e. there is no security and stability updates coming for versions 1.5.x any more.
There is no updated add-ons available from these vendors mentioned by Mr. Soghoian. So, the researcher possibly decided that disclosing this problem before the major security release of Firefox will help to notice the importance of this issue.
BTW, the response of Mozilla developers released yesterday is located here.
The following statement is a good signal from Mozilla developers:
For Firefox 3 we are considering ways to prevent add-on developers from using insecure channels…