In association with heise online

17 August 2011, 17:10

Firefox, Seamonkey and Thunderbird updates address critical errors

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Mozilla icon Mozilla has released updates to Firefox, SeaMonkey and Thunderbird, including legacy versions, to address a number of critical errors in the browsers and email clients. As the projects share code, different projects can be affected by the same bugs.

For example, Mozilla has released Firefox 3.6.20 – the latest update to the last of the old style release versions of Firefox – to address five critical and two high severity flaws in the browser. According to the advisory, these include memory safety hazards which corrupt memory, dangling pointer issues in SVGTextElement.getCharNumAtPosition and the appendChild method, and privilege escalations in event handlers and when dropping a tab element into a content area.

Only one of these errors, the SVGTextElement error, applied to the five critical and two high severity errors which are fixed in Firefox 6. The Firefox 6 advisory notes a number of memory safety hazards with WebGL, JavaScript and Ogg reader crashes, unsigned scripts being able to call into signed JAR files, a buffer overrun while using WebGL shaders, and a heap overflow in the ANGLE library used by Mozilla's WebGL. The fixes in Firefox 6 also apply to SeaMonkey 2.3 which shares the Gecko 6 rendering engine, giving it a very similar advisory to the browser update.

There appear to have been no security updates for Thunderbird 6, or at least no advisory, but there is an update for the older Thunderbird 3.1 series in the form of Thunderbird 3.1.12. Its advisory is similar to the advisory for Firefox 3.6.20, with the caveat, from Mozilla, that many of the issues are not exploitable because JavaScript is not enabled for mail by default (Mozilla does note that they could be triggered when reading full RSS feeds though).


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit