Mozilla issues Firefox & Thunderbird security updates
Just one week after the previous updates were released, the Mozilla development team have issued updates for the Firefox web browser and for the Thunderbird news and email client to close a critical security vulnerability affecting these products. According to the developers, the updates address a critical security issue that could potentially lead to the remote execution of arbitrary code on a victim's system. The previously reported zero day vulnerability (CVE-2010-3765), which was used to attack visitors to the Nobel Peace Prize web site, was related to a bug that lead to a heap buffer overflow when mixing document.write and DOM insertion.
As they are based on the same Gecko layout engine versions as Firefox, the 3.1.6 and 3.0.10 security updates for Thunderbird close the same issues addressed in the above Firefox releases. Additionally, the developers note that, while reading email in Thunderbird does not pose a risk to users, the vulnerability could be triggered via an RSS feed if JavaScript is enabled or by a third-party add-on that enables browser-like functionality.
The Mozilla developers will also release an update for SeaMonkey, the "all-in-one internet application suite" to address the above issues. Further information about this 2.0.10 update, which has yet to be released at the time of this writing and fixes the above mentioned vulnerability and several non-security-relevant crashes, can be found in the SeaMonkey 2.0.10 security advisory and in the release notes.
More details about the updates can be found in the Firefox 3.5.15 and 3.6.12, and Thunderbird 3.0.10 and 3.1.6 release notes. Firefox 3.5.15 and 3.6.12, and Thunderbird 3.0.10 and 3.1.6 are available to download for Windows, Mac OS X and Linux. Alternatively, users can upgrade to the new versions, either by waiting for the automated update notification or, when applicable, by manually selecting "Check for updates" from the Help Menu. All users are strongly encouraged to upgrade to the latest releases as soon as possible.
Firefox and Thunderbird binaries are released under the Mozilla Firefox End-User Software License Agreement and the Mozilla Thunderbird End-User Software License Agreement, and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.
See also:
- Mozilla Foundation Security Advisories, Firefox and Thunderbird security advisories.
- Firefox 3.6.12 and 3.5.15 security updates now available, a Mozilla Developer Center blog post.
- Thunderbird 3.1.6 and 3.0.10 security updates now available, a Mozilla Developer Center blog post.
(crve)