Mozilla security release patches eight bugs, six critical

Mozilla today patched eight security vulnerabilities in Firefox, half of them critical memory corruption flaws in the browser's layout and JavaScript engines.


Mozilla released a security update for its Firefox 3.0 browser, which patches eight security flaws.

Among the flaws fixed by Firefox 3.0.7 is a bug that Mozilla said "showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code".

In an advisory, Mozilla added that it was concerned that JavaScript flaws could also be exploited.

"We strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images," Mozilla added.

Mozilla was uncertain whether the four vulnerabilities patched in the layout and JavaScript engines could be exploited, but assumed as much. "Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," the accompanying advisory read.

Other patches plug holes that could be used by hackers to steal private information and spoof URLs to trick users into thinking they're at a legitimate site.

This is Mozilla's second security release for the Firefox browser this year. The update can be downloaded direct from Mozilla's website. Alternatively Firefox 3 users will be prompted to download the release with an automatic notification.

Mozilla Messaging's Thunderbird e-mail client, which uses the Firefox rendering engine for JavaScript and other functionality, was not patched today, although six of the eight vulnerabilities also affect it.

Until Thunderbird is updated with those fixes - mid-month is the latest estimate for Thunderbird - users can protect themselves by disabling JavaScript, said Mozilla. By default, the e-mail application has JavaScript switched off.

The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browser's built-in updater, or wait for the automatic update notification, which typically pops up within 48 hours.

In other Firefox-related news, Mozilla today said that it would change the version number of the next major update from Firefox 3.1 - the moniker used since May, when the company first announced the upgrade - to Firefox 3.5.

The change, which had been suggested by several developers, will "indicate [the] increased scope" of the update, according to meeting notes posted online today.

Last week, one developer called on Mozilla to bump up the version number. "That way we would more clearly communicate to users that this isn't just a minor update but a major step forward," said Simon Paquet.

Mozilla also modified the schedule for Firefox 3.1 Beta 3 - it is too late in the process to change the beta to 3.5 - today, pushing back the ship date for the oft-delayed preview from an earlier estimate of 10 March to 12 March.

Firefox holds a 22% market share, according to browser data from Web metrics company Net Applications Inc.

See also:

Mozilla Firefox 3.1 gets 4th beta

IE and Safari lose while Mozilla Firefox gains market share

Follow highlights from ComputerworldUK on Twitter

"Recommended For You"

Mozilla fixes 11 critical flaws with Firefox 3.5.4 Mozilla patches Firefox but not Thunderbird