A proof of concept exploit demonstrated the vulnerability, which is the second serious flaw found in the product in two weeks. Last week at the CanSecWest show, another researcher discovered flaws in all three major browsers, including Firefox. These are now the property of Tipping Point's Zero Day Initiative, which sponsored that show.
The Mozilla Foundation is preparing an emergency security update to protect against the two flaws, which it said will be available on April 1. The release has been labelled high priority, meaning that all other work will be put on hold. "QA and Release teams should work weekends if required to get an update into users' hands as quickly as possible," according to the Mozilla page describing high priority work.
Mozilla's security scorecard was firmly marked recently, following the release of Secunia's 2008 annual security report. The vulnerability analysis firm found that the open source Firefox browser suffered from 115 discovered vulnerabilities in 2008, compared to 31 for Internet Explorer, 32 for Safari, and 30 for Opera.
This is the second flaw published by Landi, who discovered a buffer overflow bug in Adobe's Acrobat Reader last month.