Firefox 3.5.6 closes a number of “critical” flaws, which could allow an attacker to crash a victim's browser or run arbitrary code on an affected computer. This is the first time Firefox has been updated for security since late October.
Three of the four vulnerabilities outlined in MFSA-2009-065 generate browser crashes, while the last affects the TraceMonkey JavaScript engine that debuted in Firefox 3.5. Mozilla recommended users disable JavaScript in Firefox if they were unable to immediately patch the browser.
Firefox 3.0, which Mozilla will retire from security support next month, was also updated Tuesday with the release of version 3.0.16. The older browser received seven patches, just two of them marked critical.
Firefox 3.0, which Mozilla will retire from security support next month, was also updated Tuesday with the release of version 3.0.16. The older browser received seven patches, just two of them marked critical.
“Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code,” Mozilla said in its bulletin.
The two other critical bulletins address bugs in the browsers “libtheora” video library and “liboggplay” media library. An integer overflow vulnerability in the video library could be exploited by an attacker who uses a specially crafted video to cause a crash, run arbitrary code or initiate a denial-of-service attack. Several bugs in the liboggplay media library caused memory safety issues.
The update also closes one vulnerability rated “high” in severity, three rated "moderate", and one rated "low."
Mozilla has also released an update for Firefox 3.0, which address all the vulnerabilities in version 3.5 except those in the media or video library, because audio and video capabilities were not added until the latest iteration of the browser.
Mozilla plans to only provide security and stability updates for version 3.0 until next month, so users are encouraged to update to Firefox 3.5.
Firefox 3.5.6 and 3.0.16 can be downloaded now for Windows, Mac OS X and Linux from the Mozilla site.
The two other critical bulletins address bugs in the browsers “libtheora” video library and “liboggplay” media library. An integer overflow vulnerability in the video library could be exploited by an attacker who uses a specially crafted video to cause a crash, run arbitrary code or initiate a denial-of-service attack. Several bugs in the liboggplay media library caused memory safety issues.
The update also closes one vulnerability rated “high” in severity, three rated "moderate", and one rated "low."
Mozilla has also released an update for Firefox 3.0, which address all the vulnerabilities in version 3.5 except those in the media or video library, because audio and video capabilities were not added until the latest iteration of the browser.
Mozilla plans to only provide security and stability updates for version 3.0 until next month, so users are encouraged to update to Firefox 3.5.
Firefox 3.5.6 and 3.0.16 can be downloaded now for Windows, Mac OS X and Linux from the Mozilla site.
