IDG News Service - Online attack code has been released targeting a critical, unpatched flaw in the Firefox browser.
The attack code, written by security researcher Guido Landi, was published on several security sites Wednesday, sending Firefox developers scrambling to patch the flaw. Until it is patched, this code could be modified by attackers and used to sneak unauthorized software onto a Firefox user's machine.
Mozilla Corp. developers have already worked out a fix for the vulnerability. It's slated to ship in the upcoming 3.0.8 release of the browser, which developers are now characterizing as a "high-priority fire-drill security update," thanks to the attack code. That update is expected sometime early next week.
"We ... consider this a critical issue," said Lucas Adamski, director of security engineering at Mozilla, in an e-mail.
The bug affects Firefox on all operating systems, including Mac OS and Linux, according to Mozilla developer notes on the issue.
By tricking a victim into viewing a maliciously coded XML file, an attacker could use this bug to install unauthorized software on a victim's system. This kind of Web-based malware, called a drive-by download, has become increasingly popular in recent years.
While the public release of browser attack code doesn't happen all that often, security researchers don't seem to have much trouble finding bugs in browser software. Last week, two hackers at the CanSecWest security conference dug up four separate bugs in the Firefox, Internet Explorer and Safari browsers.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
