F-Secure reports:
Proof-of-concept exploits for the popular Mozilla and Firefox web browsers have been posted on public mailing lists. They target the following vulnerabilities:
– Code execution through favicons link
– Arbitrary code execution from Firefox sidebar panelThese exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7.
We advice all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen on your computer just by surfing to the wrong site.
For those who know what this means, it’s blood-curdling news. A proof of concept is code that exploits a vulnerability. From that code, it’s a short step to actually creating a hostile exploit that installs a virus or Trojan horse on an unpatched computer. (Oh, and forgive the grammatical errors in the F-Secure announcement. They’re based in Finland and English is obviously a second language. Their expertise in combatting viruses is, however, second to none.)
There’s a little tiny icon in the upper right corner of the Firefox window, just below the Minimize / Maximize / Close buttons, that is supposed to alert you when an upgrade is available. The most current version is 1.0.3, and the little icon has been visible now for a couple of days, with no additional warning of any kind. In my opinion, the Firefox alert icon is way too subtle. How many people had Firefox 1.0 installed on their computer by a friend or family member over the holidays and don’t realize there have been three critical updates since then?
Curiously, the Mozilla Security Center includes no mention of the two most recent updates. As of today, the announcement at the top of the page reads:
Mozilla Foundation Announces Update to Firefox (February 24, 2005) All users should upgrade to Firefox 1.0.1, a security update to Firefox 1.0. …
And yet… The Mozilla Foundation Security Advisories page, which is linked from the Security Center, lists both Firefox 1.02 (released March 23), which fixes one critical security issue, and Firefox 1.03 (released April 15), which fixes three separate critical security issues, including the two that now have exploit code in the wild.
There’s no question that the Mozilla/Firefox team is taking their responsibility seriously, but the update mechanism is not working properly for a software program that is intended for use by the masses.
Ed Bott 
Yikes. I have ver 1.0 that I use only for testing websites. I don’t see that icon at all. Perhaps my version doesn’t have auto-update? There’s also no update option in any of the menus.
I don’t have a 1.0 install around to test. The Update option still isn’t on any menu. There’s a Check for Updates option on the Advanced tab of the Tools, Options dialog box. Is that option checked? You can also check for updates manually by clicking the button there, at least on later versions.
I have 1.0 on the computer I’m currently on, so went to have a look. Clicking the “Search for Updates” button in the Advanced tab yields nothing, but clicking the throbber in the top right goes to the Firefox home page which prominently displays version 1.0.3. There’s no icon or other sign that an update is available, though.
With FF 1.06 where is the ‘Software Update’ button anyway? The help shows it between ‘Tabbed Browsing’ and ‘Security’ in the ‘Advanced’ settings.
I have ‘Tabbed Browsing’ and ‘Security’ there, but no ‘Software Update’ anything.
I don’t have FF 1.06 installed here, so I can’t check.
Is there a reason why you don’t update to 1.5?