In association with heise online

18 July 2012, 11:09

Critical holes closed in Firefox, Thunderbird and SeaMonkey

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Mozilla Trio logo Following the latest round of updates to its suite of internet applications, Mozilla has now detailed all of the security fixes in the new versions of its Firefox web browser, Thunderbird news and email client, and the SeaMonkey "all-in-one internet application suite". As they are all based on the same Gecko platform, version 14.0 of Firefox and Thunderbird , and version 2.11 of SeaMonkey close a number of the same security holes, some of which are rated as "Critical" by the project; updates have also been published for the "enterprise" versions of Firefox and Thunderbird to address these issues.

These critical vulnerabilities include a code execution problem related to javascript: URLs, a JSDependentString::undepend string conversion bug that can be exploited to cause a crash, a same-compartment Security Wrappers bypass issue, and various memory safety hazards. Critical use-after-free problems, an out-of-bounds read bug, and a bad cast in the Gecko engine that could lead to memory corruption have also been addressed. According to Mozilla, some of these vulnerabilities could be exploited remotely by an attacker to, for example, execute arbitrary code on a victim's system.

The developers have also corrected three high-risk vulnerabilities – including location spoofing and data leakage issues – and three moderate security bugs. Additionally, the update to Firefox closes a high-risk cross-site scripting (XSS) problem, and two moderate issues. Many of these same vulnerabilities have been addressed in version 10.0.6 of Mozilla's "enterprise" Extended Support Releases (ESR) of Firefox ESR and Thunderbird ESR.

Firefox 14.0.1 (release notes), Firefox ESR 10.0.6 (release notes), Thunderbird 14.0 (release notes), Thunderbird ESR 10.0.6 (release notes) and SeaMonkey 2.11 (release notes) are available to download for Windows, Mac OS X and Linux from the project's site.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-1644530
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit