Firefox 3.0.12 patches critical vulnerabilities
For users that haven't already updated to the latest Firefox 3.5 release, Mozilla has released Firefox 3.0.12, patching one high risk and five critical security vulnerabilities in their popular open source web browser. The security update addresses a critical vulnerability in the Firefox browser engine that could lead to it crashing, resulting in memory corruption and the possible execution of arbitrary code. A second critical vulnerability has been patched that could potentially be used by an attacker to execute arbitrary code when a Flash object is used to crash the browser.
The browser update fixes a series of heap and integer overflow vulnerabilities in font glyph rendering libraries that could be used by an attacker to crash libpango or CoreGraphics and to run code on Linux and Mac OS X systems. A critical crash and remote code execution vulnerability caused by an SVG element has been fixed and a critical problem caused by the
The Mozilla developers strongly advise all Firefox 3.0.x users to update to the latest release. According to a post on Mozilla's developer blog, all users are encouraged to upgrade to Firefox 3.5 as Firefox 3.0.x security and stability fixes will end in January of 2010.
More details about the release can be found in the release notes. Current Firefox 3.0.x users can update via the built-in Firefox update service by selecting Help, then "Check For Updates". Firefox binaries are released under the Mozilla Firefox End-User Software License Agreement and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.
- Fixed in Firefox 3.0.12, security advisory from Mozilla.