With the release of Firefox 21, Mozilla closed its Maintenance Service vulnerability that could lead to privilege escalation and three critical holes.
In addition, officials also closed off flaws in the ESR release of Firefox 17.0.6 and, although only one is exploitable on the Mozilla email client, Thunderbird 17.0.6 and its ESR release. Users should upgrade as soon as possible.
Although only rated as high severity, two of the flaws center around the Mozilla Maintenance Service. One is a new local privilege escalation hole which would allow an attacker with access to the local file system to get system privileges through the Maintenance Service. Mozilla said this flaw is not exploitable from the web. The other is a failure to update registry entries when updating, which left the browser exposed to previous privilege escalation holes in the Maintenance Service where Firefox version 12 previously ended up installed.
Rated as critical, is a collection of six out-of-bound, invalid write, or heap use-after-free memory corruption problems discovered by a member of the Google Chrome Security team. Some of the problems were potentially exploitable and allowed for remote code execution. Also rated as critical, but not exploitable in Thunderbird because scripting is disabled, are a use-after-free after resizing a playing video and another collection of memory safety issues.
There are also fixes at a high severity for DOM SVG Zoom events and a XSS-related access vulnerability. Finally, there was moderate-rated problem where information about paths could leak. Again, most of these issues affect Thunderbird but some may not be exploitable because of disabled scripting.
Updates to Firefox 21 and Thunderbird 17.0.6 should go through the automatic update system in each application; if users have disabled updates, the new versions are on the Firefox and Thunderbird download pages. Firefox 17.0.6 ESR and Thunderbird 17.0.6 ESR can also download, though users should remember these versions are for larger organizations.