One critical flaw in previous versions of the Firefox browser allows an embedded OGG video element of “extreme” size to cause a crash that can potentially allow an attacker to inject malicious code. However, Mozilla is keeping the specific details of this confidentially disclosed vulnerability under wraps.
Mozilla also closed a hole which allowed attackers to access out-of-bounds memory areas and inject malicious code via specially crafted SVG files. Another critical issue addressed in Firefox 9.0 is a currently unspecified and potentially exploitable crash in the YARR regular expression library. Mozilla also closed other critical memory bugs in 9.0.
Upgrading to Firefox 9.0 addresses these issues and the organization advises all users to upgrade, either using Firefox’s automatic update system or by downloading the latest version.
The vulnerabilities also exist in previous versions of the SeaMonkey “all-in-one Internet suite” and end up fixed in the Seamonkey 2.6 update.
The Thunderbird email client is vulnerable, but only the first vulnerability mentioned is critical. Version 9.0 of Thunderbird will fix the issues but the organization has not released it yet.