Open-source software maker Mozilla warned users on Wednesday that the Vietnamese version of its browser includes a script that is being used to target users with ads and potentially could be used to infect users with malicious code.

The malicious code, which has been in the Vietnamese language pack for Firefox since February 18, is a simple script that runs code from a particular site. Mozilla has no estimate of the number of people that might have the code running on their computer but more than 16,000 copies of the software have been downloaded since November 2007, the company's chief security officer Window Snyder said on Mozilla's security blog.

"Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload," Snyder said. "We are also adding after-the-fact scans of everything to address this sort of case in the future."

Modifying local HTML files to leave behind malicious code is a standard technique of many Trojan horse and bot programs. In this case, the offending program appears to be the Xorer Trojan, according to a bug report on Mozilla's site.

Mozilla's security faux pax is not the first time that a company has shipped malicious code in a product. In December, a number of consumers complained that programs included on digital picture frames tried to infect their computers. In addition, Apple has shipped a virus on some of its iPods in 2006, and Microsoft accidentally included the well-known Nimda virus on the Korean version of Visual Studio .NET for developers.

Mozilla plans to ship an update version of the language pack and urged users of the Vietnamese language pack to disable the language pack in the add-on portion of the Tools menu.

If you have tips or insights on this topic, please contact SecurityFocus.