Live: 300+ Best Black Friday Deals Live: Black Friday TV Deals BF Deals Under $25 BF Deals Under $50 5 BF Splurges 8 BF Must-Haves 15 Weird Amazon BF Deals BF Cheat Sheet
Want CNET to notify you of price drops and the latest stories?
No, thank you

Exploit turns up heat for Firefox flaw

Mozilla has patched the hole in the Web browser, but the public release of attack code means it's urgent that people apply the fix.

Computer code that could be used in cyberattacks on Firefox users has been released, increasing the urgency for people to upgrade to the latest version of the Web browser.

The two pieces of exploit code, posted online earlier this week, take advantage of a security vulnerability in Firefox that Mozilla patched in an update Thursday. In response to the exploit release, the browser maker on Tuesday upgraded the severity rating of the flaw from "moderate" to "critical," its most serious rating.

"This exploit was published after we released the update," said Mike Schroepfer, vice president of engineering at Mozilla. "Most of our users had already been upgraded by the time this exploit was published."

The code could be used to commandeer computers running a vulnerable version of the open-source Web browser on Linux or Mac OS X systems. It has been published as part of the Metasploit Framework, a widely used hacking tool.

The specific flaw exists only in Firefox 1.5 and was fixed in Firefox The problem could cause a memory corruption an outsider could use to run code on a vulnerable PC, according to a Mozilla advisory. The corruption would come from calling the "QueryInterface" method of the Location and Navigator objects in the browser.

Firefox users have already been urged to install the patched version of the browser. Security monitoring company Secunia last week rated the Firefox update "highly critical," and Mozilla has pushed out updates.

If for some reason users have not upgraded, they should definitely do so, Schroepfer said.