Critical vulnerability in Firefox 3.5 and Firefox 3.6

Update (Oct 27, 2010 @ 20:12):
A fix for this vulnerability has been released for Firefox and Thunderbird users.

Firefox 3.6.12 and 3.5.15 security updates now available
Thunderbird 3.1.6 and 3.0.10 security updates now available

Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.

Impact to users:
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.

We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.

In the meantime, users can protect themselves by doing either of the following:

Morten Kråkvik of Telenor SOC

Brandon Sterne

33 comments on “Critical vulnerability in Firefox 3.5 and Firefox 3.6”

  1. Holly wrote on

    Have you assigned a CVE yet?

  2. CNN Newsroom wrote on

  3. mvario wrote on

    Does that mean Minefield/FF4 is unaffected?

  4. Daniel Veditz wrote on

    @Holly: CVE-2010-3765

    @mvario: Firefox 4 beta users appear safe for the moment. The underlying problematic code does exist, but other code changes since Firefox 3.6 seem to be shielding us from the vulnerability. It is more effective–now that we’ve identified the problem–to simply patch it and be sure than to spend hours trying to prove FF4 is safe.

  5. dave wrote on

    Eta on a fix ? Is there a patch we can apply now?

  6. Sean Kerner wrote on

    by Firefox built-in malware protection – do you mean the Google SafeBrowsing API?

  7. Daniel Veditz wrote on

    @Sean: yes, we got the site blocked by Google’s SafeBrowsing within a couple of hours of learning about the exploit.

  8. dave wrote on

    Is this the fix …

  9. Jason wrote on

    Here are some articles about this:

  10. pal-moz wrote on


    no, bug is #607222

  11. Arthur Norton wrote on

    “that exploit code leveraging this vulnerability” – what does that mean in English?

  12. Lonyl wrote on

    Is this a windows only exploit?

  13. Sug wrote on

    I have been using Microsoft EMET 2.0, with all the “mitigation techniques” on, is this a good measure until the patch comes out?

  14. Lloyd Budd wrote on

    It would be great if you would include the most recent version #s for affected major versions in the post for reference. They appear to be
    Firefox 3.6.11
    Firefox 3.5.14

  15. Sreedharan wrote on

    Is Mozilla 3.0 version safe then?

  16. Mark wrote on

    @Sug only if it’s a buffer overflow exploit. It could be a privilege escalation exploit in which case UAC will offer some protection but you’ll need some sort of sandbox like sandboxie for full protection since this will prevent firefox from touching anything outside the sandbox.

  17. DADSGETNDOWN wrote on

    If you disable javascript you can not access hotmail.

  18. Daniel Veditz wrote on

    Is Mozilla 3.0 version safe then?

    Absolutely not! In addition to this problem 3.0.19 is vulnerable to most of the advisories issued since March 2010 when Mozilla ended support for it. See

  19. Daniel Veditz wrote on

    @dave: no, the patch is

    @Lonyl: The exploit “in the wild” affects only users of recent 3.6 versions running Windows XP (not Vista or Win7). The vulnerability (bug) in Firefox also exists on older versions and on other platforms but this particular group of criminals chose not to bother with the effort of making the exploit there.

  20. John wrote on

    @Arthur Norton: in the phrase “exploit code”, “exploit” is an adjective, not a verb.

More comments:1 2