The Mozilla Foundation has patched two "extremely critical" security holes in its Firefox web browser that were reported earlier this week. The flaws have been patched in the Firefox 1.0.4 release, which was posted to the Mozilla.org web site late yesterday.
When exploited in tandem, the two bugs could allow an attacker to gain control of the Firefox user's system by taking advantage of the way Firefox handles software installations from certain trusted websites.
Firefox automatically allows software to be installed from update.mozilla.org and addons.mozilla.org, but users who want to install software from other Web sites can add to this trusted list.
Earlier this week the Mozilla Foundation made changes to Mozilla.org, which protected most users. But web surfers who have added other websites to their trusted list are still vulnerable, says Chris Hofmann, director of engineering with the Mozilla Foundation.
Danish security firm Secunia has rated the exploit as "extremely critical," marking the first time a flaw in the open-source browser has received the firm's most serious security rating.
Firefox has gained market share against Microsoft's Internet Explorer over the past year, in part because it has been considered less vulnerable to attacks. Since the Firefox 1.0 release last November, however, a number of vulnerabilities have been discovered in the browser.
The Mozilla Foundation reports nearly 54 million Firefox downloads since the 1.0 release. Firefox has 6.8 percent of the browser market, according to research firm WebSideStory; but Internet Explorer is still used by nearly 89 percent of Web surfers, says the firm.