Mozilla has found and removed a virus from its Vietnamese language pack for their Firefox 2 browser. The virus loads remote content, showing the unwitting users unwanted advertising, but does not propagate the virus itself to others.
Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy. While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.
Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload. We are also adding after-the-fact scans of everything to address this sort of case in the future.
A new language pack will be available shortly. Until then, Vietnamese language pack users should disable this package using the add-ons dialog on the Tools menu.
All in all, Mozilla's had good success with the safety and security of their open-source add-ons. But sometimes the malware peddlers are halfway around the globe while honest programmers are still lacing up their shoes.