Security assured as Mozilla and Adobe patches emerge

Adobe Shockwave Player in Mozilla Firefox

Rapid action saw Mozilla issue a fix for the flaw exploited on the Nobel Peace Prize website within 48 hours of its discovery. After a week, Adobe has rolled out a patch for Shockwave.

Visitors using Mozilla Firefox browsers to view the Nobel Peace Prize website were alarmed to find that a Trojan had been secreted there. Within two days of receiving a report from Norwegian security firm Telenor, the patch had been issued for versions 3.5 and 3.6 of the browser .

The company has issued a statement that assures users of the Firefox 4 beta that they are safe, even though their browsers had the same flaw.

"Firefox 4 beta users appear safe for the moment," Daniel Veditz, a Mozilla security engineer, blogged.

"The underlying problematic code does exist, but other code changes since Firefox 3.6 seem to be shielding us from the vulnerability."

Telenor said that visitors to the Nobel site were redirected to a Taiwanese server that responded with a JavaScript exploit. The script was designed to install a Trojan horse on any redirected Windows PC. In turn the Trojan downloaded more malware put the hacker in complete control.

The Trojan has also been neutralised by Avira, a German security company. The Trojan's links to the hacker's command-and-control servers had been severed, Avira said.

Adobe has also been busy patching a vulnerability that surfaced in Shockwave Player version 11.5.8.612 and earlier for Mac and Windows. Unlike the Firefox vulernability, the Adobe flaw was being targeted by several attacks.

In an advisory issued over a week ago, Adobe warned that an attacker could cause a system crash and take control of any vulnerable system.