Mozilla issues Firefox & Thunderbird security updates
Following delays due to a startup crash regression, the Mozilla project development team has issued updates for the Firefox web browser and for the Thunderbird news and email client to close multiple critical security vulnerabilities affecting these products. According to the developers, the Firefox updates address a total of ten issues, including eight critical security bugs, one high risk and one moderate problem. Many of the issues, such as crashes caused by corrupted JPEG images, memory corruption during text run construction, or buffer overflows in the JavaScript engine, could potentially lead to the remote execution of arbitrary code on a victim's system.
As version 3.1.x is based on the same Gecko layout engine version as Firefox 3.6, the 3.1.8 update for Thunderbird fixes two of the same critical issues addressed in the above Firefox releases. The developers note that Thunderbird 3.0.11 from December of last year was the final security and stability update for Thunderbird 3.0.x and advise all users to upgrade to the 3.1 branch.
The Mozilla developers also plan to release an update, version 2.0.12, for the SeaMonkey "all-in-one internet application suite" to address the above security issues. The update will also include fixes for a number of non-security related crashes, improving the application's overall stability. At the time of this posting, however, the update has yet to be published. More details about SeaMonkey 2.0.12 can be found in the preliminary release notes and in the SeaMonkey 2.0.12 security advisories.
Further information about the updates can be found in the Firefox 3.5.17 and 3.6.14, and Thunderbird 3.1.8 release notes. Firefox 3.5.17 and 3.6.14, and Thunderbird 3.1.8 are available to download for Windows, Mac OS X and Linux. Alternatively, users can upgrade to the new versions, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu. All users are strongly encouraged to upgrade to the latest releases as soon as possible.
Firefox and Thunderbird binaries are released under the Mozilla Firefox End-User Software License Agreement and the Mozilla Thunderbird End-User Software License Agreement, and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.
See also:
- Mozilla Foundation Security Advisories, Firefox and Thunderbird security advisories.
- Firefox 3.6.14 and 3.5.17 security updates now available, a Mozilla Developer Center blog post.
- Thunderbird 3.1.8 Update is Now Available, a Mozilla Developer Center blog post.
(crve)