In association with heise online

29 April 2011, 10:43

Mozilla patches Firefox and Thunderbird

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Firefox Logo The Mozilla project has released new versions of Firefox, its open source web browser, and the Thunderbird email client to address several critical issues found in the previous releases.

The first update to Firefox 4.0, version 4.0.1, addresses a total of three vulnerabilities, two of which are rated as critical. The browser's WebGLES feature contains bugs that could lead to crashes, potentially resulting in the execution of malicious code. The Windows version of Firefox was also found to have been compiled without ASLR which could allow an attacker to bypass ASLR's protection against malicious code if a memory corruption flaw was found. Several critical memory safety bugs have in the browser engine used by Firefox have also been corrected. These bugs reportedly contained evidence of memory corruption under certain circumstances. The developers presume that, with enough effort, some of them could be exploited to run arbitrary code.

Updates have also been issued for the 3.5.x and 3.6.x branches of Firefox. These updates, versions 3.5.19 and 3.6.17, address the same memory safety bugs noted above, as well as five other vulnerabilities. The legacy branches of Firefox contain two further critical holes, a privilege escalation problem in the Java Embedding Plugin (JEP) which shipped with Mac OS X versions, and multiple dangling pointer vulnerabilities. Two moderate risk bugs and one low risk bug have also been corrected. The developers note that version 3.5.19 of Firefox will be the last planned security and stability update for the 3.5 branch and encourage all users to upgrade to the 4.0.x branch of Firefox.

Thunderbird Logo Mozilla has also released an update for Thunderbird, version 3.1.10. According to the release notes, the update includes several performance, stability and security fixes. However, at the time of this posting, the Thunderbird 3.1.10 security advisories have yet to be posted. As Thunderbird 3.1.x is based on the same Gecko browser engine as Firefox 3.6.x, it can be assumed that the update addresses most, if not all of the vulnerabilities fixed in Firefox 3.6.17.

Further details about the updates, including links to the full change logs, can be found in the Firefox 4.0.1, 3.6.17 and 3.5.19, and Thunderbird 3.1.10 release notes. Firefox 3.6.17 and 4.0.1, and Thunderbird 3.1.10 are available to download for Windows, Mac OS X and Linux. Alternatively, users can upgrade to the new versions, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu. Mozilla encourages users to upgrade to the latest releases as soon as possible.

Firefox and Thunderbird binaries are released under the Mozilla Firefox End-User Software License Agreement and the Mozilla Thunderbird End-User Software License Agreement, and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit