Mozilla details security fixes in Firefox and Thunderbird updates
After releasing Firefox 7 and Thunderbird 7 earlier this week, the Mozilla Project has now detailed some of the security fixes included in the updates. According to the project's Security Center page for Firefox, version 7 addresses a total of 8 security vulnerabilities in the web browser, 6 of which are rated as "Critical".
The critical issues include exploitable crashes in the YARR regular expression library and WebGL, a bug in the JSSubScriptLoader used by some add-ons and use after free errors, various memory safety hazards and a code installation exploit through holding down the Enter key. These vulnerabilities could be exploited remotely by an attacker to, for example, execute arbitrary code on a victim's system. Two moderate issues have also been addressed.
The update to the 3.6.x branch of Firefox, version 3.6.23, closes three of the above holes, as well as a critical integer overflow issue and a high-risk cross-site scripting (XSS) bug. Version 2.4 of the SeaMonkey "all-in-one internet application suite" fixes all of the same vulnerabilities as Firefox 7.
The 7.0 release of the open source Thunderbird news and email client also addresses several issues. As it uses the same Gecko engine as Firefox, Thunderbird 7 fixes four of the same critical bugs and one of the moderate problems; at the time of writing, Mozilla has yet to publish details of the vulnerabilities fixed in the update to the 3.1.x branch of Thunderbird, version 3.1.15. All users are advised to upgrade to the latest versions.