A security flaw that allows a malicious site to execute arbitrary code on a user's system has been discovered in Mozilla Firefox. Secunia has probably the one of the more accurate and concise write-ups of the code execution vulnerability. It appears to be the first "Extremely critical" Firefox flaw logged by Secunia.
The vulnerability requires the attacker to trigger an install that appears to come from a whitelisted site. Fortunately, the Mozilla Foundation controls all of the sites in the default software installation whitelist, which has allowed them to take some preventative action by placing more checks in the server-side Mozilla Update code and moving the update site to another domain. We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk.
Paul and mikx reported the vulnerability to the Mozilla Foundation and bug 292691 was filed on Monday 2nd May. In line with the Mozilla security bugs policy, access to the bug report was restricted to members of the security team. However, somebody else found out and leaked the details of the exploit. The French Security Incident Response Team (FrSIRT) was one of the first security companies to publish an advisory based on the leaked information. In a message to the Full Disclosure mailing list, Paul criticised the individual who leaked the details of the Firefox code execution exploit, condemning his or her actions as "inconsiderate" and "irresponsible". Since the exploit became public knowledge, several duplicate bug reports have been filed, including bug 293302.
We anticipate that the Mozilla Foundation will release a Firefox 1.0.4 update shortly.