Firefox and Thunderbird updates patch security holes
The Mozilla Project has published updates for Firefox, its open source web browser, and the Thunderbird email client to fix several bugs and other critical issues found in previous versions. The latest Firefox 5 rapid release update addresses a total of 8 security vulnerabilities, 5 of which are rated as "Critical" by Mozilla.
Previous versions of the browser (up to and including 4.0.1) contained a bug in a JavaScript Array object that could potentially result in an integer overflow and the execution of malicious code, as well as a crash on multipart/x-mixed-replace images due to memory corruption. A number of critical memory safety hazards in the browser engine have been fixed. Mozilla says that "with enough effort at least some of these could be exploited to run arbitrary code". Other issues include use-after-free errors when viewing an XUL document with script and multiple WebGL crashes. Two moderate holes that could lead to cross-site scripting (XSS) attacks or a violation of the same-origin policy have also been corrected.
The update to the 3.6.x branch of Firefox, version 3.6.18, fixes nearly twenty bugs. These include four of the critical security holes noted above, as well as another critical issue related to multiple dangling pointer problems and a cookie isolation error. On its download page, the project notes that "Firefox 3.6.x will be maintained with security and stability updates for a short amount of time". As such, all users are strongly encouraged to upgrade to Firefox 4.x or later.
As Thunderbird 3.1.x is based on the same Gecko browser engine as Firefox 3.6.x, the 3.1.11 update addresses most, if not all of the vulnerabilities fixed in Firefox 3.6.18. At the time of writing, the Security Advisories for Thunderbird 3.1 web page, the release notes and the download page have yet to be updated to reflect the latest version.
Further information about the updates can be found in the Firefox 3.6.18 and 5.0 release notes. Firefox 3.6.18 and 5.0 are available to download for Windows, Mac OS X and Linux. Alternatively, users can upgrade to the new versions, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu. Mozilla encourages users to upgrade to the latest releases as soon as possible.
Firefox and Thunderbird binaries are released under the Mozilla Firefox End-User Software License Agreement and the Mozilla Thunderbird End-User Software License Agreement, and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.
See also:
- Mozilla releases Firefox 5, a report from The H.
- Thunderbird 5.0 arrives in Beta channel, skips 4.0, a report from The H.
(crve)