UPDATE: several security firms have announced that exploit code leveraging this vulnerability has been detected in the wild. Mozilla, upon being notified by these security firms, created, tested, and released a fix within 48 hours of the first notification. Code leveraging the vulnerability was initially discovered on the Nobel Peace Prize site. Since exploit code for the vulnerability is out there, users are advised to update their Firefox browser as soon as possible.
If you are currently on Mozilla’s Firefox 3.6 browser, you are well advised to update to the latest version, which is version 3.6.12. Why are you well advised to update to Firefox 3.6.12? For security reasons – this version fixes a critical security issue that, if exploited by a person with malicious intent, could lead to remote code execution. Mozilla employs a 4-tier severity rating and “critical” is the most dangerous one.
SPONSORED LINKS
You should receive an automatic update prompt. If you did not receive one, you can manually trigger and update by clicking Help -> Check for Updates. Or you can just download the latest Firefox version by clicking here.
The critical vulnerability that Firefox 3.6.12 fixes is detailed in security advisory MFSA 2010-73. Here’s the information included in this security advisory:
Title: Heap buffer overflow mixing document.write and DOM insertion Affected products: Firefox, Thunderbird, SeaMonkey Description: Morten Kråkvik of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox 3.6 development branches and affected all supported platforms. Credit: Morten Kråkvik of Telenor SOC.
In related news, Mozilla released Firefox 3.6.11 last week. Firefox 3.6.11 is a stability and security update. For version 3.6.11 Mozilla released 9 advisories, out of which 5 carry the critical rating. The security advisories Mozilla released for Firefox 3.6.11 are as follows (the bold ones are critical):
UPDATE: several security firms have announced that exploit code leveraging this vulnerability has been detected in the wild. Mozilla, upon being notified by these security firms, created, tested, and released a fix within 48 hours of the first notification. Code leveraging the vulnerability was initially discovered on the Nobel Peace Prize site. Since exploit code for the vulnerability is out there, users are advised to update their Firefox browser as soon as possible. 