The flaw was uncovered Tuesday by security vendor Norman, which said that it learned of the bug after analyzing attack code surreptitiously installed on the Nobel Peace Prize website. "If a user visited the Nobel Prize site while the attack was active early Tuesday using Firefox 3.5 or 3.6, the malware might be installed on the user's computer without warning," Norman said in a press release.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. | Learn how to secure your systems with InfoWorld's Malware Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]
In a blog posting, Mozilla confirmed that the attack exploited a previously unpatched flaw, and said it had heard from "several security research firms" that this attack code has been used on the Internet.
"We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested," Mozilla said in its blog post.
Mozilla said that the bug affects Firefox 3.5 and 3.6, on all supported platforms -- Windows, Linux and Mac OS X. According to Norton, the attack seen on the Nobel Peace Prize website targets Windows. It installs a Trojan program that can then be used by attackers to download more malicious software and essentially take control of the victim's computer.
The attack does not appear to be widespread at this point.
"This vulnerability appears to have been used in one targeted attack and Symantec hasn't seen anything else in terms of exploitation at this time," a spokesman with the antivirus company said via instant message.