Less than 48 hours after receiving a report of a critical flaw in Firefox, Mozilla issued an emergency update on Wednesday that patched the problem.
Around mid-day Pacific time today, Mozilla released Firefox 3.6.12 and Firefox 3.5.15 to patch the vulnerability, which had been exploited by malware secretly planted on the Nobel Peace Prize Web site.
Mozilla acknowledged the bug Tuesday and said it was at work on a patch, but provided few details. Today, the company said the vulnerability existed in the Windows, Mac OS X and Linux versions of Firefox 3.6 and the older Firefox 3.5.
The currently-stalled Firefox 4 was not at risk, Daniel Veditz, a Firefox security engineer, said in comments appended to the Mozilla blog post that confirmed the flaw.
"Firefox 4 beta users appear safe for the moment," Veditz said on Tuesday. "The underlying problematic code does exist, but other code changes since Firefox 3.6 seem to be shielding us from the vulnerability."
The Trojan was designed to install more attack code on compromised machines; that code would then hijack the PC and give the hacker complete control.
Earlier on Wednesday, a German security company, Avira, said the Trojan's links to the hacker's command-and-control servers had been severed .
Avira also expressed surprise at the unreliability of the malware, and wondered why the attacker had essentially thrown away a valuable zero-day vulnerability on such poorly-written code. "Usually cybercriminals abuse [zero-day vulnerabilities] for profitable malware," Avira said.
Today's update was the fourth one-fix patch from Mozilla this year, and the first rush job since April, when the company plugged a hole used by a German researcher to win $10,000 at the annual Pwn2Own hacking contest in Vancouver, British Columbia.
Mozilla has prided itself on the speed with which it patches Firefox vulnerabilities, and has often argued that it gets fixes to users much faster than either Microsoft and Google do for their users of Internet Explorer and Chrome.
Firefox was last patched a week ago when Mozilla fixed a dozen flaws in its open-source browser .
Users can update to Firefox 3.6.12 by downloading the new edition or by selecting "Check for Updates" from the Help menu within the browser. Firefox 3.5 users can obtain version 3.5.15 by calling up the integrated update tool.
Firefox 3.5 is living on borrowed time. On Mozilla's site the company states that it will maintain 3.5 "with security and stability updates until August 2010," or two months ago. Typically, Mozilla ships patches for an older edition only six months after the release of a new version; Firefox 3.6 launched in January 2010.