Visitors to Nobel website get a different prize

WEB BROWSER OUTFIT Mozilla has admitted to a zero-day security flaw in Firefox that saw the Nobel Prize website offering up malware.

Windows users of Firefox 3.5 and 3.6 visiting the website were infected by a Trojan that gives the attacker complete control of the user's machine. The insecurity vendor Norman, in its threat analysis said that once the machine is infected, the Trojan creates registry keys to automatically start during Windows' bootup.

Mozilla has acknowledged the vulnerability and confirmed it is working on a fix. In the meantime, affected users who visit the Nobel Prize website find that Firefox's malware protection feature throws up a warning message. The problem with this method of containment is that Mozilla doesn't know if other websites have similar drive-by download exploits.

To counter such a threat on a more general level, Mozilla suggest disabling Javascript or using the Noscript add-on.

Drive-by download attacks are becoming an increasingly common method to push malware onto unsuspecting web users. Making use of holes in scripting language interpreters such as Javascript and Microsoft's ActiveX has been standard practice for many years. Generally it is recommended to disable scripts on all but trusted websites, though few would have thought the Nobel Prize website would end up inadvertently peddling malware.

It seems that this time some Firefox users got caught out while trying to find out which bright spark received a Nobel gong. µ