22 July 2009, 09:32

Firefox 3.0.12 patches critical vulnerabilities

For users that haven't already updated to the latest Firefox 3.5 release, Mozilla has released Firefox 3.0.12, patching one high risk and five critical security vulnerabilities in their popular open source web browser. The security update addresses a critical vulnerability in the Firefox browser engine that could lead to it crashing, resulting in memory corruption and the possible execution of arbitrary code. A second critical vulnerability has been patched that could potentially be used by an attacker to execute arbitrary code when a Flash object is used to crash the browser.

The browser update fixes a series of heap and integer overflow vulnerabilities in font glyph rendering libraries that could be used by an attacker to crash libpango or CoreGraphics and to run code on Linux and Mac OS X systems. A critical crash and remote code execution vulnerability caused by an SVG element has been fixed and a critical problem caused by the setTimeout parameter that could allow arbitrary JavaScript to be run with the browser chrome privileges, has been addressed. The release also fixes a high risk cross-site scripting (XSS) vulnerability that could be used to run arbitrary JavaScript within the context of another site.

The Mozilla developers strongly advise all Firefox 3.0.x users to update to the latest release. According to a post on Mozilla's developer blog, all users are encouraged to upgrade to Firefox 3.5 as Firefox 3.0.x security and stability fixes will end in January of 2010.

More details about the release can be found in the release notes. Current Firefox 3.0.x users can update via the built-in Firefox update service by selecting Help, then "Check For Updates". Firefox binaries are released under the Mozilla Firefox End-User Software License Agreement and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.

See also: