Oct 27, 2010 13:38 GMT  ·  By

Mozilla confirmed the existence of an actively targeted critical vulnerability in Firefox 3.5 and 3.6 and recommends the NoScript add-on as mitigation until a permanent fix is ready.

The vulnerability was exploited in a drive-by download attack launched from the Nobel Peace Prize website, which was reported yesterday by Norwegian antivirus vendor Norman.

In a post on the Mozilla Security Blog, Brandon Sterne, the company's security program manager, noted that the attack page is now blocked by Firefox’s built-in malware protection, which uses the Google SafeBrowsing API.

"However, the exploit code could still be live on other websites," he said, before revealing that Firefox developers are currently working on a patch.

Vulnerability research company Secunia assigned this flaw (CVE-2010-3765) it's highest criticality rating - extremely critical.

Until a fix is tested and ready for wide deployment, Mozilla recommends that users disable JavaScript inside the browser or rely on the NoScript extension.

Disabling JavaScript can be achieved by going to Tools > Options > Content and unchecking the "Enable JavaScript" box.

However, doing so might severely affect the browsing experience, as the technology is used by the vast majority of websites.

A much better and less intrusive approach is to install the NoScript Firefox extension. By default, this add-on only allows JavaScript content to be loaded from the same domain as the opened page.

Users are given the option to manually select third-party domains from which they wish to allow scripts to run, permanently or temporarily.

NoScript might prove annoying at the beginning, until regularly visited websites are added to its whitelist, but the security benefits greatly outweigh the temporary inconvenience.

The extension also provides protection against attacks like cross-site scripting (XSS), cross-site request forgery (CSRF) or clickjacking (UI redressing).

It's also worth mentioning that preliminary tests showed Firefox 4 (currently in Beta) as being safe from this attack.

"The underlying problematic code does exist, but other code changes since Firefox 3.6 seem to be shielding us from the vulnerability," said Daniel Veditz, security lead at Mozilla.