Security firm Secunia discovered two vulnerabilities in Firefox 1.0.3 browser that could open the system to a possible attack from a malicious attacker.

The first vulnerability is associated with IFRAME JavaScript URLs. Under this flaw, the URLs are not rightfully executed and an attacker could visit a specific URL by utilizing the history feature and masking the original URL. "If you visit a malicious Web site, it can steal cookie information from other Web sites you had previously visited," said Thomas Kristensen, Chief Technology Officer, Secunia. He later said that an attacker could then use the private information for identity theft purposes or to visit confidential and password protected sites, namely from banks.

The second flaw in the browser is embedded in the IconURL parameter in InstallTrigger.Install(). According to the security report, specific information passed through this parameter is not properly secured, thereby, giving an outsider a complete access to the system.

Secunia suggested that users in need of new theme packs or security updates must visit the Mozilla site and download and install the desired patches manually.

Since the bug was discovered over the weekend, the Mozilla Foundation has disabled the automatic update functionality and requests that all users disable JavaScript until the bugs have been patched. Kristensen said the risk is much lower now and the exploitation of the vulnerabilities should not be wide spread after Mozilla Foundation’s decision to disable its automatic update service. However, users are still prone to an attack if they continue to download themes and other browser extensions from unofficial sources.

Thus far, Secunia has received no news of the exploitation of the aforementioned security flaws.