Wednesday, October 27, 2010

Firefox v3.5 & v3.6 Zero-Day Exploit:
JavaScript Hell

An active zero-day exploit of Firefox versions 3.5 and 3.6 been found In-The-Wild. (The current version of Firefox is v3.6.11). Specifically, the Nobel Peace Prize website injects malware into victim computers via a newly discovered Firefox security hole. So far, the malware being injected is the Windows-only Trojan horse Belmoo-A. However, the injected malware could just as easily be any of the current Mac OS X Trojans.

Note of course that Trojan horses are inert until a 'LUSER' runs and installs them, providing it with their computer's Administrator password.

Firefox are aware of the situation and are working on a patch. In the meantime, they recommend the workaround of disabling JavaScript (aka ECMAScript), or installing and using the Firefox add-on NoScript. I use NoScript. I love it! I never leave my homepage without it.

As per usual, JavaScript is the bane of the Internet. However, Java isn't fairing too well either, much to everyone's dismay. I'll be writing about Java's security ills early next month.

No comments:

Post a Comment