Firefox attack code posted by security researcher

Chicago (IL) – A security researcher has posted malicious code that exploits a vulnerability in Firefox 3.0.x. Mozilla reacted quickly and changed its browser release schedule: Version 3.0.8, which will include a patch, is scheduled for a release early next week.

Browser developers are often too slow fixing critical exploits in their products, even when known security experts inform them of vulnerabilities. Despite the discovery of well-documented vulnerabilities,  browser vendors tend to stick to their release schedules, which means that a necessary patch will not be released before the next scheduled update.

However, when Guido Landi found a flaw in the current desktop Firefox software, which allows an attacker to install unauthorized software on a user’s system, he chose to post the exploit code – in the hope that Mozilla would react fast.

By publishing the attack code to several security-related sites yesterday, Landi provoked an immediate reaction from Mozilla, which promises to accelerate the release of Firefox 3.0.8 to as early as next week. In addition, the organization describes the Firefox 3.0.8 release a “high-priority firedrill security update,” thanks to the attack code Landi published online.
Of course, one could argue that attackers might take Landi’s code and use it against users until fix is posted. In reality, however, Landi may have shown that browser vendors may need some motivation to react in an appropriate fashion.

In a nutshell, the flaw discovered by Landi could be used to fool an unsuspecting user into opening a maliciously coded XML file that exploits the vulnerability to run a web-based malware on his computer – a scenario that is also know as “drive-by download.” All Firefox versions 3.0.x (Windows, OS X, Linux) are affected by this bug.