Mozilla patches critical Firefox flaws

And it warns Firefox 2.0 users that bugs in older browser won't be fixed.

Mozilla Corp. has patched seven security vulnerabilities in Firefox, two of them labeled "critical," in the browser's first update for 2009.

Firefox 3.0.6 fixes about half the number of bugs that Mozilla quashed in December with the previous security update.

Of the seven flaws, two were rated "critical," by Mozilla, two "high," one "moderate" and two "low" in the company's four-step scoring system. Both of the critical vulnerabilities may have significant exploit potential, Mozilla said.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort, at least some of these could be exploited to run arbitrary code," the company's advisory read. If so, hackers could use the bugs to crash the browser, then introduce their own malicious code into a vulnerable system, or both.

Other patches plugged a cross-site scripting hole -- a type of bug often used by identity thieves -- and another flaw that could be exploited to steal data from Web forms.

One of the seven patches was a second attempt to fix a problem first addressed in a November 2008 update. Although Mozilla rated the bug as moderate, the second-lowest in its scale, it said the vulnerability "could potentially be used by an attacker to inject arbitrary code," a description usually reserved for critical flaws. Mozilla justified the lower ranking by saying that any attack "has relatively high complexity."

Mozilla also warned users of the older Firefox 2.0 that their browser is vulnerable to some of the bugs patched in Version 3.0, although it didn't get into specifics. "If you're still using Firefox 2.0.0.x, this version is no longer supported and contains known security vulnerabilities," said Samuel Sidler, a Mozilla engineer, in a post to the "mozilla.dev.planning" message group Tuesday.

Firefox 2.0 was retired from support in mid-December. Since then, Mozilla has made a third and final attempt to get Firefox 2.0 users to update to the newer Firefox 3.0, and warned users that Google has shut off antiphishing protection in the former.

According to the latest data from Web metrics company Net Applications, Firefox 2.0 accounts for about 13% of Firefox's market share.

Not surprisingly, Mozilla Messaging's Thunderbird e-mail client, which uses the Firefox engine, primarily for JavaScript rendering, was not patched yesterday. It remains at Version 2.0.0.19, a late December update. Until Thunderbird catches up -- an update is currently being tested -- users can protect themselves against the two related Firefox vulnerabilities by disabling JavaScript in the e-mail program.

The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browser's built-in updater, or wait for the automatic update notification, which should pop up in the next 48 hours.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Firefox

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?