Bürger-CERT (”German’s official cyber-security response team”) is warning users against using Firefox until version 3.6.2 (scheduled on March the 30th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but:
- There’s no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1st.
- A patched Firefox release candidate is already available, so if you’re really scared or impatient you can get it here.
- As almost always happens, NoScript* has been protecting its users since day 0, keeping its promise of preventing
exploitation of security vulnerabilities (known and even not known yet!).
* in its default configuration, and even better in its full content blocking mode.
In the meanwhile, Mozilla decided to go through the effort of anticipating Firefox 3.6.2 by one whole week for the greater good, so if you haven’t seen the “Available update” message yet, just use Help|Check for updates now.
Now that vulnerability details are not embargoed anymore, I can add that exploitation required the browser to load a specially crafted web font. The relevant NoScript feature protecting against this is NoScript Options|Embeddings|Forbid @font-face, which is checked by default.