Mozilla patches 11 bugs in Firefox

Mozilla Corp. late Tuesday patched 11 vulnerabilities in Firefox 3.0, more than half of them labeled "critical," and fixed 14 flaws in the older Firefox 2.0.

Firefox 3.0.2 quashes six critical bugs, four marked "high," and one pegged as "low" in Mozilla's four-step threat ranking system. Among the most serious were four stability bugs in the browser's graphics rendering, layout and JavaScript engines that can crash the program and might be exploitable with malicious code.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," said Mozilla in the accompanying advisory.

Mozilla also updated the older Firefox to 2.0.0.17, patching all but one of the bugs fixed in 3.0.2, but also addressing several issues specific to the aging browser.

It's unclear how many more updates Mozilla will release for Firefox 2.0 -- it doesn't produce them on a set schedule -- because it has already announced it will drop the browser this December. Yesterday, Mozilla continued to urge users to upgrade to Firefox 3.0.

One of the bugs in both Firefox 2.0 and 3.0, although rated only low, was described by Mozilla as a variant of a "click-hijacking" vulnerability first reported in Microsoft Corp.'s Internet Explorer by Liu Die Yu, a researcher noted for finding flaws in IE. Microsoft first patched the bug in 2003, then patched it again the following year.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine