Mozilla has released version 3.6.12 of its popular web browser Firefox today, less than 48 hours after a 0-day vulnerability was reported. The emergency update addressed an exploit that had been planted on the Nobel Peace Prize website. Mozilla first posted to their Security Blog that they were aware of the issue, were working on a patch, and that the site was being blocked by Firefox’s built-in malware protection. A little while ago, that same blog post was updated to point users to the newly released updates in the form of Firefox 3.6.12 and 3.5.15 and Thunderbird 3.1.6 and 3.0.10.
Their original announcement of the issue included recommendations to disable JavaScript or use the NoScript add-on (not a bad idea to use this all the time). The relevant bug report has also been opened up regarding this zero-day.
Morten Kråkvik of Telenor SOC reported an in-the-wild 0day affecting Firefox 3.6.x on Windows to security@:
A compromised site is currently redirecting visitors to hxxp://l-3com.dyndns-work.com/admissions/admin.php, which contains exploits directed at Firefox users on Windows.
The exploit is confirmed successful on Windows XP SP3 + Firefox 3.6.11.
Props to Mozilla for addressing the issue so quickly. Now that the patch is available, the responsibility passes to the users of Firefox, maybe that includes you, to update to Firefox 3.6.12. You can update by going to the Help menu, and running Check for Updates… or downloading the latest version from the Mozilla site.