FrSIRT warned users of Firefox and Mozilla that the exploit code -- which FrSIRT published in its entirety, a not-uncommon practice for the firm -- should be considered a critical risk.
According to the comments posted by the exploit's author, identified as Berend-Jan Wever, a Dutch programmer who has previously cranked out exploit code for Internet Explorer vulnerabilities, the hack creates a heap buffer overflow, and when it works, can give the user complete control of a vulnerable machine running Firefox, Mozilla, or even Netscape.
Like many browser-oriented exploits, an attack using the exploit would require that the victim surf to a malicious site; the usual methods of getting users to evil Web sites is with spam e-mail.
Tuesday, Mozilla patched the Firefox browser against the bug in its support of international domain names (IDN). Thursday, it followed up with a similar fix for the Mozilla suite in its Windows, Linux, and Mac OS X incarnations.
Netscape, however, has not yet patched that browser.
That may not matter, wrote Wever in his code comments. "[The code] is optimized to work with FireFox, who [sic] do have a patch out, but on a rare occasion it will work in Netscape."