Firefox zero day being exploited in the wild

Cybercriminals are exploiting a "critical" zero-day flaw in Mozilla's Firefox web browser to distribute malware, security firms are warning.

Researchers at security firm Norman ASA disclosed the previously unknown vulnerability after discovering a trojan on the website for the Nobel Peace Price that exploited the bug.

Though the problem has since been mitigated, visiting the Nobel Peace Prize website using Firefox 3.5 and 3.6 on Tuesday may have resulted in malware being installed on a user's machine without warning.

“The malware would then attempt to connect to two internet addresses, both which point to a server in Taiwan,” Norman ASA researchers wrote in a blog post Tuesday. “If the connection was successful, the attacker would have access to the infected computer.”

The malware was identified as a Windows trojan called Belmoo, which opens a back door on the compromised computer, according to researchers at Symantec.

Mozilla, in a blog post Tuesday, confirmed that the trojan exploited an unpatched flaw in Firefox 3.5 and 3.6. The Nobel Peace Prize site is being blocked by Firefox's built-in malware protection, Mozilla said.

Exploit code could, however, still be live on other websites, researchers warned.

Mozilla said it is working on a fix, which will be pushed out to Firefox users as soon as it is tested. In the meantime, users can protect themselves by disabling JavaScript in Firefox, or using the NoScript add-on, Mozilla said.

“NoScript is a great idea – I'd never use Firefox without it, and neither should you,” Graham Cluley, senior security researcher at anti-virus firm Sophos, wrote in a blog post Wednesday.