Skip to main content

Firefox flaw fixed in a flash

The Mozilla Foundation has released a fix for a critical zero-day vulnerability in its Firefox browser, just 48 hours after it learned of the flaw.

The security breach, which was first spotted after ne'er-do-wells uploaded a Trojan known as Belmoo to the Nobel Peace Prize website which exploited the vulnerability, was one of the most serious security issues to beset the open-source project in recent years.

While in-built blacklisting technology, powered by Google, protected users from visiting sites known to be hosting the Trojan, new and unidentified sites could still infect users.

Thankfully, the issue is now resolved with the release of Firefox 3.6.12 and 3.5.15. Both releases, one for the current branch and one for the previous branch, offer full protection against the Belmoo Trojan and other Internet-borne nasties that attempt to take advantage of the same flaw.

The amazingly quick turnaround on the fix, a mere 48 hours between Mozilla being alerted to the problem and the patch being released, is a testament to the flexibility of the open source development model. Although many could argue that the presence of the source code in the public domain makes it easier for criminals to find and exploit flaws in the security of a package, there's certainly no denying that it also makes it easier for issues to be discovered and fixed.

If you're running Firefox on any platform you're advised to download and install the update as soon as possible, either through the Tools - Check for Updates menu option or by downloading the installer directly from Mozilla.