Mozilla Updates Firefox and Thunderbird, Plugs Critical Vulnerabilities
The Mozilla Foundation has updated all versions of its Firefox web browser – this means Firefox 3.0, Firefox 3.5 and the latest and greatest, Firefox 3.6.
Firefox 3.0 has been updated to version 3.0.19. The update, as Mozilla said, is meant to fix several stability issues and address several security problems. To be more precise, Firefox 3.019 comes with fixes for a total of 6 security advisories – all but one carry the critical rating . The security advisories in question are:
MFSA 2010-21 - Arbitrary code execution with Firebug XMLHttpRequestSpy
MFSA 2010-20 - Chrome privilege escalation via forced URL drag and drop
MFSA 2010-19 - Dangling pointer vulnerability in nsPluginArray
MFSA 2010-18 - Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-17 - Remote code execution with use-after-free in nsTreeSelection
MFSA 2010-16 - Crashes with evidence of memory corruption
Firefox 3.5 has been updated to version 3.5.9. This update is also meant to fix several stability issues and address several security problems. Firefox 3.5.9 comes with fixes for 8 security advisories – 5 critical, 3 low. These security advisories are:
MFSA 2010-22 Update NSS to support TLS renegotiation indication
MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop
MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray
MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection
MFSA 2010-16 Crashes with evidence of memory corruption
Please note that Firefox 3.0.19 and 3.5.9 are the last planned security and stability updates Mozilla will release for these browser versions. Users are strongly urged to upgrade to Firefox 3.6.
SPONSORED LINKS
Speaking of which, Firefox 3.6 has been updated to version 3.6.3 – the update is meant to fix a critical security issue that, if exploited by a person with malicious intent, could lead to remote code execution. It is all detailed in security advisory MFSA 2009-25: MFSA 2009-25 Title: Re-use of freed object due to scope confusion Impact: Critical Description: A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative. By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its old scope. If garbage collection could be triggered at the right time then Firefox would later use this freed object. Credit: Nils of MWR InfoSecurity. If you would like to get Firefox 3.6.3, you can download it straight from Mozilla here.
The Mozilla Foundation has also updated Thunderbird to version 3.0.4. The update comes with several fixes for the user interface and several stability and security fixes. The security advisories attached to Thunderbird 3.0.4 are:
The Mozilla Foundation has updated all versions of its Firefox web browser – this means Firefox 3.0, Firefox 3.5 and the latest and greatest, Firefox 3.6.