A number of holes remedied in Firefox and Thunderbird
The Mozilla Foundation has released new versions of its browser and email client for Windows, Linux, and Mac OS X that remedy several critical security holes. Attackers could use these to get control of local PCs. All they need to do is get users to visit a manipulated web site or open a malicious email. The updates are already being automatically distributed.
A heap overflow also occurs when prepared images are converted into Windows bitmaps. For this trick to work, the properties of a site's CSS cursor reportedly have to be manipulated. Only the Windows version of Firefox is affected.
The browser's stability has also been improved to reduce the frequency of crashes. This problem was also considered critical because some of the crashes provided indications of memory leaks that attackers might be able to use to write code into the memory and execute it.
Finally, two cross-site scripting (XSS) weak points and a problem with RSS feeds were remedied. One of the XSS holes is only found in Firefox 184.108.40.206, while the others were also remedied in Firefox 220.127.116.11 and Thunderbird 18.104.22.168. The errors have also been corrected in SeaMonkey 1.0.7. The developers explicitly state that Firefox 22.214.171.124 also supports Windows Vista, though there are still some problems; for instance, some extra steps have to be taken into account for automatic updates, and Firefox cannot yet be made the default browser under Vista. While the developers also mention the error concerning emails deleted without prompting in the release notes for Thunderbird 126.96.36.199, the entry in Bugzilla says that the error has been remedied in version 188.8.131.52.
Firefox 184.108.40.206, 220.127.116.11 and Thunderbird 18.104.22.168 are available in a number of languages as downloads from Mozilla's download site, but the new versions are also being distributed via the application's software update. Firefox 1.0 and Thunderbird 1.0x are no longer supported; the errors are thus not remedied there. Users are advised to install the latest releases.
- Known Vulnerabilities in Mozilla Products, the Mozilla Foundation's security advisory