Mozilla is working on a patch for the recently disclosed critical bug in Firefox that has been exploited on at least one prominent Web site this week.
The vulnerability in Firefox is being used by attackers in drive-by download attacks to install malware on victims’ machines. Mozilla’s security team said that the bug is critical and affects versions 3.5 and 3.6 of the Firefox browser. There were reports on Tuesday that the Web site for the Nobel Peace Prize was serving an exploit for the Firefox bug.
“Users who visited an infected site could have been affected by the
malware through the vulnerability. The trojan was initially reported as
live on the Nobel Peace Prize site, and that specific site is now being
blocked by Firefox’s built-in malware protection. However, the exploit
code could still be live on other websites,” Mozilla’s Brandon Sterne said.
Mozilla said that users can protect themselves against the exploit for the time being by either installing the NoScript plugin for Firefox or by disabling JavaScript. Sterne did not say when Mozilla expects to have the patch ready.
In an analysis of the exploit, Kurt Baumgartner, a senior security researcher at Kaspersky Lab, said that the attack emanating from the Nobel site is only effective on versions of Firefox running on older version of Windows that don’t have ASLR and DEP implementations.