Firefox exploit targets zero day vulns | The Register: "Security researchers have discovered two unpatched vulnerabilities in Firefox, the popular alternative web browser. The security bugs affect even the latest version of Firefox (version 1.0.3) and create a means for attackers to seize control of vulnerable systems using cross-site scripting attacks.
One vulnerability enables arbitrary JavaScript code with escalated privileges to be executed via a specially crafted JavaScript URL. Successful exploitation requires that a site is allowed to install software (default sites are 'update.mozilla.org' and 'addons.mozilla.org'). This would normally drastically reduce the scope for mischief - but for a second security bug, involving 'IFRAME' JavaScript URLs, which creates a means to execute arbitrary HTML and script code in the context of an arbitrary site..."