Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.
Impact to users:
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.
We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.
In the meantime, users can protect themselves by doing either of the following:
* Using the NoScript Add-on
This appears to this upstream bug, which is currently embargoed:
Mozilla has released their advisory, and fixed software.
In the long tradition of security-related stabilization requests the mozilla team would like arch teams to stabilize the following packages:
Target keywords for =net-libs/xulrunner-220.127.116.11/=www-client/firefox-3.6.12 are:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~amd64-linux ~ia64-linux ~x86-linux ~sparc-solaris ~x64-solaris ~x86-solaris
Target keywords for =mail-client/thunderbird-3.1.6 are:
alpha amd64 arm ia64 ppc ppc64 sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux
Target keywords for =www-client/seamonkey-2.0.10 are:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Taget keywords for =www-client/firefox-bin-3.6.12/=www-client/seamonkey-bin-2.0.10 are:
www-client/icecat is lacking behind as usual. So amd46-, ppc-, ppc64- and x86-arches please prepare to get re-added once icecat comes with a bugfix-release, too.
Stable for HPPA.
Stable for PPC.
Target keywords for =mail-client/thunderbird-bin-3.1.6:
Mozilla team, Icecat 3.6.12 is released, please bump and readd
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org,email@example.com
re-added archs for stabilization of icecat-3.6.12
would help to click add archs.
ppc64, please stabilize:
Thanks, folks. Added to existing Mozilla GLSA request.
Nothing for mozilla team to handle, tree has all appropriate updates.
sorry for the noise just forgot to remove mozilla team from the bug reports.
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird
3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10,
code via vectors related to nsCSSFrameConstructor::ContentAppended, the
appendChild method, incorrect index tracking, and the creation of multiple
frames, which triggers memory corruption, as exploited in the wild in
October 2010 by the Belmoo malware.
This issue was resolved and addressed in
GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).