Mozilla released patched updated versions of its popular web browser on Wednesday, addressing a zero-day security flaw that put potentially millions of Internet users at risk.
Morten Kråkvik of the Norwegian security vendor Telenor SOC was credited with the discovery of the flaw on Monday by Mozilla. Within 48 hours of the disclosure, Mozilla had patched the bug. The company has always prided itself on the speed at which it responds to threats, and has claimed that it gets fixes to users of its browser faster than Microsoft or Google.
The bug affected Firefox 3.5 and Firefox 3.6 versions. Firefox 3.6.12 and 3.5.15 were released, while the Firefox 4 beta was not at risk. The update to the Firefox 3.5 browser comes two months after Mozilla said it would stop providing security and other updates for it.
Unfortunately the bug was exploited by code planted into the Nobel Peace Prize website. Visitors to the site were redirected to a Taiwanese attack server that launched a Javascript exploit. If successful, the exploit planted a trojan on the victim's computer, which would in turn retrieve more malware.
However, on Wednesday, security firm Avira had reported that links between the Trojan and the attackers' command and control servers had already been severed. The German security outfit also expressed surprise at the unreliability of the malware, saying the attacker had thrown away a valuable zero-day vulnerability that would usually be used to deliver profitable malware.
The bug affected Firefox 3.5 and Firefox 3.6 versions. Firefox 3.6.12 and 3.5.15 were released, while the Firefox 4 beta was not at risk. The update to the Firefox 3.5 browser comes two months after Mozilla said it would stop providing security and other updates for it.
Unfortunately the bug was exploited by code planted into the Nobel Peace Prize website. Visitors to the site were redirected to a Taiwanese attack server that launched a Javascript exploit. If successful, the exploit planted a trojan on the victim's computer, which would in turn retrieve more malware.
However, on Wednesday, security firm Avira had reported that links between the Trojan and the attackers' command and control servers had already been severed. The German security outfit also expressed surprise at the unreliability of the malware, saying the attacker had thrown away a valuable zero-day vulnerability that would usually be used to deliver profitable malware.
