The flaw, first discovered by Russian security researcher Evgeny Legerov, could allow an attacker to remotely execute arbitrary code on an affected system. It will be fixed with the release of Firefox 3.6.2, scheduled for March 30, Mozilla said in a blog post Thursday. The vulnerability affects only Firefox 3.6, which was released in January.
Secunia has classified the bug as “highly critical,” or four out of five on its severity rating scale. If users do not wish to wait for the late March patch, they were advised by Mozilla to download the beta version of Firefox 3.6.2, which contains the fix.
Legerov first disclosed the vulnerability on Feb. 1 on a message board hosted by Immunity, a Miami Beach, Fla.-based security assessment and penetration testing vendor. Legerov provided few details about the bug, however.
“It is a really cool bug," Legerov, founder of Moscow-based security research firm Intevydis wrote in the post. "It was an interesting challenge to find and exploit it. The exploit needs some work, but it was quite reliable in our testing.”
Legerov could not be reached for comment on Monday.
Meanwhile, the German Computer Emergency Response Team on Friday warned users against using Firefox until Mozilla has provided a fix for the bug.