Mozilla patches eight Firefox bugs, six critical
Mozilla Corp. today patched eight security vulnerabilities in Firefox, half of them critical memory corruption flaws in the browser's layout and JavaScript engines.
Firefox 3.0.7, the second security update this year to the open-source browser, fixes about the same number of bugs that Mozilla patched a month ago.
Of the eight vulnerabilities, six were rated "critical," one "high" and one "low" in Mozilla's four-step ranking system. The six critical bugs are in Firefox's garbage collection routine, in the PNG libraries used by the browser, and in the layout and JavaScript engines.
Mozilla was uncertain whether the four vulnerabilities patched in the layout and JavaScript engines could be exploited, but assumed as much. "Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," the accompanying advisory read.
Other patches plug holes that could be used by hackers to steal private information and spoof URLs to trick users into thinking they're at a legitimate site.
Mozilla also addressed several non-security issues in Firefox 3.0.7, including unspecified stability problems, a bug that caused some browser cookies to mysteriously vanish, and a Mac-only flaw associated with the Flashblock add-on.
Mozilla Messaging Inc.'s Thunderbird e-mail client, which uses the Firefox rendering engine for JavaScript and other functionality, was not patched today, although six of the eight vulnerabilities also affect it. Until Thunderbird is updated with those fixes -- mid-month is the latest estimate for Thunderbird 2.0.0.21 -- users can protect themselves by disabling JavaScript, said Mozilla. By default, the e-mail application has JavaScript switched off.
The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browser's built-in updater, or wait for the automatic update notification, which typically pops up within 48 hours.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
firefox
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
