UPDATE: Mozilla has already created a patch for the zero-day vulnerability in its Firefox Web browser uncovered by security researcher Guido Landi-but users will have to wait a while to get it.
Attack code for the Firefox flaw was published March 25 on numerous security sites. The code takes advantage of an XSL (Extensible Stylesheet Language) parsing “root” X M L tag remote memory corruption vulnerability, and can be used to install software on the victim’s system without his or her consent.
Browser security has been in the spotlight lately due to the CanSecWest contest held March 16 to 20 and a recent report comparing the number of reported vulnerabilities in different Web browsers and the speed with which patches were made available.
In this case, officials at Mozilla said the company already has a fix for the Firefox flaw prepared, and that it will be pushed out when Firefox 3.0.8 is made available the week of March 30.
“It’s true that we have a patch for this issue, but we always do a complete quality assurance test pass before releasing an update,” said Johnathan Nightingale, Mozilla’s human shield. “We only ship software when we’re confident of its quality, especially in the case of security issues.”
The bug affects Firefox on the Windows, Linux and Mac operating systems. A successful exploit would require tricking a victim into interacting with a malicious X M L file.
“We always encourage our users to be cautious about visiting sites they aren’t familiar with, but the best defense is to ensure that security updates like this one are applied immediately once they become available,” a Mozilla spokesperson said.
UPDATE: Mozilla clarified its original statement regarding the NoScript addon: “NoScript may afford protection against the specific sample that was published, but we haven’t yet analyzed whether it has any effect on the underlying problem.” — Mike Shaver, vice president of engineering.