Following the release of new versions of its open source Firefox web browser, Thunderbird email client and SeaMonkey suite, Mozilla detailed the security fixes included in each of the updates.
Version 10.0 of Firefox closes 8 security holes in the browser, 5 of which are “Critical” by Mozilla, according to the project’s Security Center page.
The critical issues include an exploitable crash when processing a malformed embedded XSLT stylesheet, potential memory corruption when decoding Ogg Vorbis files, XPConnect security checks bypassed by frame scripts, a use after free error in child nodes from nsDOMAttribute and various memory safety hazards. An attacker could exploit these vulnerabilities remotely to execute arbitrary code on a victim’s system.
Additionally, Firefox 10 closes two “High” impact issues that could lead to information disclosure or an attacker violating the HTML5 frame navigation policy by replacing a sub-frame for phishing attacks. They also fixed a moderate severity bug when exporting a user’s Firefox Sync key to a “Firefox Recovery Key.html” file that causes it to save with incorrect permissions.
Based on the same Mozilla Gecko platform as Firefox 10, version 2.7 of the SeaMonkey “all-in-one Internet application suite” fixes all of the same vulnerabilities, while Thunderbird 10 addresses all but the moderate incorrect permissions bug because it does not use Firefox Sync.
An update to the 3.6.x legacy branch of Firefox, version 3.6.23, fixes four of the above critical issues and a low impact bug related to an overly permissive IPv6 literal syntax previously repaired in Firefox 7.0, Thunderbird 7.0 and SeaMonkey 2.4. The developers note that Firefox 3.6.26 “now enforces RFC 3986 IPv6 literal syntax”, adding the change “may break links written using the non-standard Firefox-only forms that were previously accepted”. The 3.1.18 update to the 3.1.x branch of Thunderbird also corrects these issues.
All users should upgrade to the current stable versions, the developers said.