Firefox 3.6.x and 3.5.x users are all potentially at risk from a new 0 day vulnerability linked to the Nobel Peace Prize website.
Though the flaw is technically a 0 Day – and there is currently no patch from Mozilla, in my opinion users shouldn’t be too worried as multiple efforts are already underway to mitigate the risk.
“Users who visited an infected site could have been affected by the
malware through the vulnerability,” Mozilla warned. “The trojan was initially reported as
live on the Nobel Peace Prize site, and that specific site is now being
blocked by Firefox’s built-in malware protection. However, the exploit
code could still be live on other websites.”
Mozilla’s Daniel Veditz let me know that Firefox’s built-in malware protection is still in fact the Google SafeBrowsing API.
“We got the site blocked by Google’s SafeBrowsing within a couple of hours of learning about the exploit,” Veditz commented.
SafeBrowsing is also used by Chrome and Safari, which means that hundreds of millions of browser users are already safe (just in case those other browser were also at risk — though that hasn’t been reported).
In terms of a code level fix, one is being worked on and I’d expect a Firefox 3.6.12 update before the end of the week.
**UPDATED** As expected Mozilla has issued an update quickly fixing this issue for both Firefox 3.6 and 3.5 users.