Mozilla Patches Firefox for Nobel Flaw


Barely 48 hours after a zero day flaw in Firefox was publicly reported, Mozilla has issued a patch protecting its users with the new Firefox 3.6.12 and 3.5.15 releases. The new release comes just over a week after Mozilla released Firefox 3.6.11 fixing at least nine security issues.

Mozilla was alerted on October 25th about the zero day flaw in its Firefox 3.6 and 3.5 browsers, which could have enabled drive-by downloads of malware. Security research Morten Kråkvik first reported the vulnerability to Mozilla after discovering the issue while performing an investigation of an intrusion attempt.

Technically the flaw is titled as a 'Heap buffer overflow mixing document.write and DOM insertion' issue by Mozilla.

The flaw affects Firefox 3.6 and 3.5 and was already being exploited in the wild by attackers. One place where the flaw was known to be in use was the Nobel Peace Prize website, which was unintentionally distributing malware.

In addition to the new Firefox 3.6.12 release, Mozilla sent its data to Google to help protect users by way of the SafeBrowsing API. Google's SafeBrowsing API is a listing of potential malware and phishing sites that is included in the Firefox, Safari and Chrome Web browsers as a way of helping to protect users.

Beta users of Mozilla's next generation Firefox 4 Web browser, however, do not seem to be at the same risk from the heap buffer overflow flaw.

"Firefox 4 beta users appear safe for the moment," Mozilla developer Daniel Veditz wrote in a blog comment. "The underlying problematic code does exist, but other code changes since Firefox 3.6 seem to be shielding us from the vulnerability."

Firefox 4 has been in development at Mozilla since earlier this year and is currently at its beta 7 release. With Firefox 4, Mozilla is set to introduce a host of new security features that are intended to secure the Web browsing experience.

While Firefox 4 is now available for beta users, mainstream browser users will have to wait a little longer than first anticipated. Originally, Mozilla developers had targeted November as the release date for the general availability of Firefox 4. Earlier this week, Mozilla developers decided to bump the release data into early 2011.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Keep up with browser security news--follow eSecurityPlanet on Twitter @eSecurityP.