Tipping Point DVLabs is reporting the discovery (or acquisition of the discovery) of a critical vulnerability in Firefox v3.0. The latest Firefox version was released amidst much fanfare on Tuesday, with Mozilla initially hoping for a Guinness Book of World Records' in the number of downloads for the first 24 hours. (That attempt failed).

The Tipping Point write-up, like so many other vendor vulnerability reports, notes that " user interaction is required such as clicking on a link in email or visiting a malicious web page." This language, which implies the user somehow has to deliberately make some mistake, i.e. to "do something" to get infected, is a throwback to the era of social engineering scams and email worms. In THAT day, the disclaimer made sense. Today, however, users aren't being tricked into visiting miscreant sites. Millions of legitimate sites are being compromised and all the user has to do is be unlucky enough to come across one of them during their normal course of browsing. (Which happens to about one out of two corporates, according to ScanSafe research). To continue to include "user interaction is required" in security notices is akin to the insurance industry adding the admonishment that "only drivers that get out of bed in the morning are at risk of accident."

To be fair, Tipping Point isn't alone in the inclusion of this statement. Microsoft pretty much coined the phrase in the early days and its been adopted by nearly all security vendors. But given today's threat environment, it's a phrase in serious need of some overhaul.