Mozilla Closes Security Flaw in Firefox 10
Less than two weeks after releasing Firefox version 10, Mozilla has updated its popular Web browser to close a security flaw.
A critical security vulnerability has been fixed in Firefox 10.0.1, Mozilla wrote in its advisory Feb. 10. The serious use-after-free flaw was found in a component that is shared with other Mozilla products, including the Thunderbird mail client and SeaMonkey application suite.
"Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable," Mozilla said in its advisory.
Firefox 9 and earlier versions are not affected by this vulnerability, according to Mozilla.
Mozilla had released Firefox 10 on Jan. 31. Nine security holes had been patched in the new version, of which five had been rated critical. The critical issues addressed included a potential memory corruption flaw, objects being accessible even after being removed, memory safety hazards, malformed stylesheets, and frame scripts bypassing security checks.