They’ve published a blogpost insinuating that Firefox 3.5 has a remote code execution vulnerability. I’ve tried to inquire if they notified Mozilla about the issue, but after 4 days (!!!) my comment still awaits moderation or it has been directly deleted.
So I decided to look a little more into the problem (from the safety of a VM) and arrived to the same conclusion as the F-Secure people: this is not a FF issue, rather a Flash / other third-party software issue. The given pages seem to contain a link to an “attack kit” which tries to detect the browser version / available plugins, after which it tries to send down a targeted exploit.
What I would have liked from ParetoLogic:
- Research the issue in more detail (a remotely exploitable bug in the up-to-date version of a popular browser is not an issue which should be taken lightly)
- It is ok to make mistakes, but one should stand up to their mistakes and admit that s/he was wrong (update the original post)
- Don’t moderate user comments into oblivion (why do you have the “Comments” link then?)
Currently, my opinion still stands: they are a “grey-zone” company and you should avoid their products.
Picture taken from mikebaird's photostream with permission.