Firefox and Thunderbird 15 fix several security vulnerabilities
Following the release of version 15 of Firefox and Thunderbird, Mozilla has detailed the security vulnerabilities that have been fixed in both products. The fixes include seven critical vulnerabilities in Firefox, five of which are also present in Thunderbird. All in all, the new version of Firefox addresses 16 vulnerabilities while the new Thunderbird version closes 12 holes.
The bug fixes close several memory-related critical vulnerabilities that could be exploited by remote attackers to execute arbitrary code on a target system. Both Firefox and Thunderbird were affected by a vulnerability that allowed an attacker to inject code into the web console and use eval() to run it in a privileged context. This could allow malicious sites to execute arbitrary code when the console is invoked by the user. This problem, rated as high on Mozilla's scale, has now been fixed. Further security vulnerabilities, two of them rated critical, were closed in the Graphite 2 library, in WebGL and in the SVG rendering engine which are all used by both Firefox and Thunderbird.
Complete lists of all fixed vulnerabilities are available for Firefox and Thunderbird. This information is also available for SeaMonkey; version 2.12 of SeaMonkey fixes the same vulnerabilities as Thunderbird 15.
Mozilla has also released new versions of the Extended Support Releases (ESR) for both Firefox and Thunderbird. Firefox ESR 10.0.7 fixes ten vulnerabilities, five of which are critical, while Thunderbird ESR 10.0.7 closes the same five critical vulnerabilities, closing nine security holes in total.
A new security feature in Firefox 15 that is worth noting is the ability for the browser to automatically update itself in the background. Firefox will now install all updates behind the scenes and only prompts users to restart the browser afterwards to apply the updates.
For more information on the new features in both releases, see:
- Firefox 15 for desktop and Android released, a report from The H.
- Thunderbird 15 activates instant messaging, a report from The H.