Mozilla patches Firefox zero-day bug in 48 hours

Browser maker reacts fast to fix flaw in Firefox 3.5 and 3.6

Less than 48 hours after receiving a report of a critical flaw in Firefox, Mozilla issued an emergency update on Wednesday that patched the problem.

Around mid-day Pacific time today, Mozilla released Firefox 3.6.12 and Firefox 3.5.15 to patch the vulnerability, which had been exploited by malware secretly planted on the Nobel Peace Prize Web site.

Mozilla acknowledged the bug Tuesday and said it was at work on a patch, but provided few details. Today, the company said the vulnerability existed in the Windows, Mac OS X and Linux versions of Firefox 3.6 and the older Firefox 3.5.

The currently-stalled Firefox 4 was not at risk, Daniel Veditz, a Firefox security engineer, said in comments appended to the Mozilla blog post that confirmed the flaw.

"Firefox 4 beta users appear safe for the moment," Veditz said on Tuesday. "The underlying problematic code does exist, but other code changes since Firefox 3.6 seem to be shielding us from the vulnerability."

Mozilla credited Morten Kråkvik of the Norwegian security vendor Telenor SOC for reporting the bug on Monday. In a pair of blog posts yesterday and today, Telenor said that visitors to the Nobel site were redirected to a Taiwanese attack server that launched a JavaScript-based exploit, which if successful, planted a Trojan horse on victimized Windows PCs.

The Trojan was designed to install more attack code on compromised machines; that code would then hijack the PC and give the hacker complete control.

Earlier on Wednesday, a German security company, Avira, said the Trojan's links to the hacker's command-and-control servers had been severed.

Avira also expressed surprise at the unreliability of the malware, and wondered why the attacker had essentially thrown away a valuable zero-day vulnerability on such poorly-written code. "Usually cybercriminals abuse [zero-day vulnerabilities] for profitable malware," Avira said.

Today's update was the fourth one-fix patch from Mozilla this year, and the first rush job since April, when the company plugged a hole used by a German researcher to win $10,000 at the annual Pwn2Own hacking contest in Vancouver, British Columbia.

Mozilla has prided itself on the speed with which it patches Firefox vulnerabilities, and has often argued that it gets fixes to users much faster than either Microsoft and Google do for their users of Internet Explorer and Chrome.

Firefox was last patched a week ago when Mozilla fixed a dozen flaws in its open-source browser.

Users can update to Firefox 3.6.12 by downloading the new edition or by selecting "Check for Updates" from the Help menu within the browser. Firefox 3.5 users can obtain version 3.5.15 by calling up the integrated update tool.

Firefox 3.5 is living on borrowed time. On Mozilla's site the company states that it will maintain 3.5 "with security and stability updates until August 2010," or two months ago. Typically, Mozilla ships patches for an older edition only six months after the release of a new version; Firefox 3.6 launched in January 2010.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon