Mozilla patches 'critical' Firefox security hole

Mozilla rates this a "critical" vulnerability that can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Mozilla has shipped an urgent Firefox security update to fix a vulnerability that exposes web surfers to malicious hacker attacks.

The vulnerability, fixed with the latest Firefox 10.0.1, causes a browser crash that may be exploitable to launch code execution attacks.

From Mozilla's advisory:

Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.

[ SEE: Ten little things to secure your online presence ]

Mozilla rates this a "critical" vulnerability that can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

The open-source group said Firefox 9 and earlier browser versions are not affected by this vulnerability.