According to Reston, Va.-based iDefense, Mozilla 1.7.3 and Firefox 1.0 -- and likely all earlier versions as well -- include a "design error" that lets hackers create a memory heap overflow, which then allow remote code execution and a compromise of the system. Even a failed attempt to exploit this flaw could bring down the browser, added iDefense.
Mozilla characterized the problem as "high" on the severity chart, but "low" on risk, in part because it said a successful exploit was dicey. "Creating the exact conditions for exploitation--including running out of memory at just the right moment--is unlikely," Mozilla said in an online security advisory.
There is no patch -- not uncommon with Mozilla browsers -- and instead users are urged to update to the newest versions, which don't include the flaw. Mozilla 1.7.6 and just-released Firefox 1.0.1 are the recommended editions. Both can be downloaded from the Mozilla Foundation Web site.
iDefense has posted details on the vulnerability on its site.