Firefox 18 and Thunderbird 17.02 close critical holes
Mozilla has fixed 20 security holes with the release of Firefox ESR 17.0.2, Thunderbird 17.0.2 and Thunderbird ESR 17.0.2; 12 of these vulnerabilities have been rated critical by the organisation, the rest are classified as having high impact. Firefox 18 fixes an additional moderate security issue with touch events that caused a page in an iframe to see touch events occurring within other iframes. The W3C Touch events technology was introduced with Firefox 18 and the issue therefore does not affect older versions of the browser or Thunderbird.
The critical issues include MFSA 2013-20 in which two SSL certificates were accidentally issued by TURKTRUST and later misused to create bogus certificates for arbitrary domains; the two certificates have now been removed from the trusted certificates list. MFSA 2013-15 allowed attackers to open a privileged web page in Firefox and thus perform a privilege escalation through interaction with specifically crafted SVG elements. A buffer overflow in the HMTL5 Canvas that could lead to a potentially exploitable crash was reported as MFSA 2013-03. Five user-after-free bugs in several components of Mozilla's software were also fixed, as well as miscellaneous memory safety issues. Many of these issues are less of a problem in Thunderbird as the email client disables scripting by default, which limits the exploitability of these vulnerabilities in normal usage of the email client.
The security issues rated as high by Mozilla include memory corruption that can be caused with SVG content and can lead to an exploitable crash, an issue where pages could spoof the URL they display in the address bar to mislead users, and problems with an XBL (XML Binding Language) function that leaked information about the address space layout of objects, causing ASLR (address space layout randomisation) to be less effective. The Firefox installer on Windows could be hijacked by placing a specifically named DLL in the default download directory alongside the installer binary which would then proceed to load the malicious DLL, leading to arbitrary code execution. On an account with administrator privileges, the system would execute the DLL with the same privileges.
To remedy the flaws, Mozilla recommends updating to Firefox 18, Firefox ESR 17.0.2 and Thunderbird ESR 17.0.2. Thunderbird 17.0.2 is the latest version of the email client as Mozilla has currently frozen its development of the product and is only doing maintenance releases on the code base. The updates should be automatically installed by the applications, but can be induced to download by displaying the applications' About dialog. It is, of course, also possible to download Firefox or Thunderbird from Mozilla's download pages.
Update 09-01-2013 15:10 – Mozilla has also released Firefox ESR 10.0.12 and Thunderbird ESR 10.0.12, fixing a number of the aforementioned security holes in these extended support versions as well. Both versions fix eight of the critical vulnerabilities that were fixed in their ESR 17.x versions. Firefox ESR 10.0.12 also fixed four of the high-rated vulnerabilities that were fixed in Firefox 17.0.2 ESR, while Thunderbird ESR 10.0.12 fixed three high-rated holes that were fixed in Thunderbird ESR 17.0.2. This release is likely to be the last release of the Firefox and Thunderbird ESR 10.x branches, with users being migrated to the ESR 17 branches at some point in the near future.