"High-priority" Firefox patch being readied
The update to the popular browser, version 3.0.8, has been deemed by Mozilla to be a "high-priority fire-drill security update," owing to the seriousness of the flaw. The update is expected to be released Monday or Tuesday.
The newly discovered, unpatched flaw -- for which researcher Guido Landi publicly has posted exploit code -- provides an opening through which attackers can enter Firefox source code and modify it. If a Firefox user simply views a maliciously coded XML file on a website, in a style of attack known as a drive-by download, the exploit installs unwelcome software onto the victim's machine.
The drive-by download affects Firefox running on all platforms, including Mac OS and Linux, according to Mozilla developer notes.
Browser exploits are nothing new. At last week's CanSecWest security conference in Vancouver, British Columbia, a "single-click-and-you're-owned exploit,” was unveiled in the newest release of Microsoft's browser, Internet Explorer 8. Bugs also were unveiled in Firefox and Safari browsers, although Google's Chrome survived unscathed.
"This makes the second big exploit of Firefox in a week," Tyler Reguly, senior security research engineer at nCircle, told SCMagazineUS.com on Thursday. "And it's the fifth bug in a popular browser over the last week-and-a-half."
The real issue is that end-users are running their computers as administrators, which enables an attacker to run code on a victim's machine, he said.
"It's a dangerous situation," he said. "When a person buys a computer...with Windows XP, that computer will be set up with 'admin' privileges. This opens up the computer to more damage when it's exploited."
A solution Reguly recommended is to run browser sessions that are contained within a virtual machine.
"This method completely segments web browsing from your personal files," he said. "If an exploit does make its way in, a user can revert to a clean position. This mitigates issues with browser exploits, including being linked into a botnet."