Advertising code inserted by the malicious Xorer worm has been discovered in a plugin for the Firefox web browser that has been downloaded thousands of times in the last three months.
Mozilla's chief of security, Window Snyder, has confirmed in a post on her blog that HTML files in Firefox's Vietnamese language pack were carrying a script (detected by Sophos as Mal/Badsrc-A) designed to display irritating advertising messages as users browsed the web. The affected files had been available for download since February 18 2008. The script is not believed to have been planted deliberately, and is most likely the result of a developer's computer being infected by the Xorer worm, the first variant of which was first protected against by Sophos in January 2008.
As we note in the latest Sophos Security Threat Report, hackers are attacking the web at a faster rate than ever before, and are aggressively looking for webpages to infect. Indeed, Sophos discovers one new infected webpage every five seconds.
As more and more software programs ship today with HTML files it is important that proper care is taken by developers to ensure that their HTML code has not been compromised by malware. There is a risk that software engineers working on a project may also use their development computer to surf the net, and be a vector by which malicious code can enter the final shipping product.
The good news in this case is that the only affected files appear to be related to the Vietnamese language pack. Of course, that's not good news if you're a Vietnamese user of Firefox, but imagine how much bigger the problem would be if it had been the English language version of Firefox that had been poisoned.
Mozilla says a new Vietnamese language pack will be available shortly.