Mozilla has released a patch for Firefox, just days after a hacker released code that could be used to attack the browser. The company has released an updated 3.0.8 version of Firefox just two days after the code was posted to the Milw0rm website. This update also fixes a bug disclosed to research firm TippingPoint last week by a hacker who used it to win the company's Pwn2Own contest at the CanSecWest security conference.
Mozilla developers had described the release as a "high-priority firedrill security update" thanks to the attack code, known as a "zero day" exploit. The quick work paid off, as they had expected it to take until early next week to complete testing.
Mozilla says both bugs are "critical."
The flaw exploited a bug in a Firefox routine known as method _moveToEdgeShift. He used it to hack the browser running on Mac OS X, but it could affect other platforms as well.
The other flaw, which has to do with the way the browser processes XSL (Extensible Stylesheet Language) stylesheets, affects Firefox on all operating systems, and also affects the Seamonkey Internet application.
Both of these bugs could be triggered by tricking a victim into viewing a maliciously coded web page, which would then allow an attacker to install unauthorised software on a victim's system. This kind of web-based malware, called a drive-by download, has become increasingly popular in recent years.
Firefox's next update, 3.0.9, is set to be released 21 April.