A critical vulnerability exist in Firefox which affects all platforms and currently delivering Windows specific malware. One major concern is that this exploit targets an un-patch vulnerability. It would appear that the Bugzilla page which is password protected may have been part of the recon process in exploit discovery.
Open source code that is available for any coder to view represents a double edge sword, on the one hand the community works to improve the software. On the other side of that coin users with malicious intent have an excellent resource readily available including code and bugs reports. Currently open source and community based projects remain sound but code review is recommended for critical production systems.
If you are interested in exploit development source code can prove a useful tool. Many exploit and 0day authors will download open source code to truly understand how particular units may perform validation and verification of data. Skilled malicious actors do the same, normally however there are far more efficient methods for finding exploits. Code review is labor intense but the criminal life cycle is producing far more advanced skill sets.
Macintosh administrator and users should be aware of this exploit and remain vigilant. Using NoScript in conjunction with an anti-virus product may be the best defense. Currently this exploit can deliver Mac based malware include fake installers and root kits.
drStrangeP0rk
Current reports indicate that the Iranian Cyber Army is collectively accumulating bots. There is no indication that the two events are linked but malware delivery via political sites such as the Noble Peace Prize is at the very least interesting.
drStrangeP0rk
Modzilla has released an update to Firefox to patch the vulnerability that was being exploited by a 0day in the wild. Users should select check for updates or download the update directly from this location. (The update server was very busy after the release.)