Cybercriminals are exploiting a "critical" zero-day flaw in Mozilla's Firefox web browser to distribute malware, security firms are warning.
Researchers at security firm Norman ASA disclosed the previously unknown vulnerability after discovering a trojan on the website for the Nobel Peace Price that exploited the bug.
Though the problem has since been mitigated, visiting the Nobel Peace Prize website using Firefox 3.5 and 3.6 on Tuesday may have resulted in malware being installed on a user's machine without warning.
“The malware would then attempt to connect to two internet addresses, both which point to a server in Taiwan,” Norman ASA researchers wrote in a blog post Tuesday. “If the connection was successful, the attacker would have access to the infected computer.”
The malware was identified as a Windows trojan called Belmoo, which opens a back door on the compromised computer, according to researchers at Symantec.
Mozilla, in a blog post Tuesday, confirmed that the trojan exploited an unpatched flaw in Firefox 3.5 and 3.6. The Nobel Peace Prize site is being blocked by Firefox's built-in malware protection, Mozilla said.
Exploit code could, however, still be live on other websites, researchers warned.
“NoScript is a great idea – I'd never use Firefox without it, and neither should you,” Graham Cluley, senior security researcher at anti-virus firm Sophos, wrote in a blog post Wednesday.