Original Exploit Discovery The Mozilla Team and Greyhats Security wanted to keep this one under wraps till a fix was available, but as usual the best laid plans etc. Now the world knows, and how long before unsuspecting people get caught out? Thankfully, Mozilla have made some changes to their Addons website so that the official site can no longer be involved, but if you add another site (such as extensionmirror) to your whitelist you can be hacked. Secunia has this to report. Firefox 1.0.4 will be on its way soon, but before that comes out, if you remove all entries from your whitelist apart from addons.mozilla.org then you should be safe - or you can disable "Allow websites to install software".
intresting, seams FF needs to have a fuller version of proccess management that is present, either that or virus scanners need to start checking for malicous code in add-ins. a lot of network admins allow people to customise FF, including addins, i wounder how many pay propper attention to the fact their letting (often idoits) install programs, same goes with konfabulator. Once again, i doubt the virus scanners bother to scan them.
Firefox 1.0.4 is out for US English and a handful of other languages, the British release will be out soon.
It always takes a few days for the British release. I'm not entirely sure what they change, apart from where it says en-US to en-GB, and us ending up on Google UK instead. Can't be that hard really, can it?
