The Mozilla Foundation posted a “critical” security advisory on April 21, stating that crashes of certain Mozilla products had revealed evidence of memory corruption under certain circumstances. Mozilla cautions that this corruption could be exploited to run arbitrary code.
The affected Mozilla products included Firefox, Thunderbird and SeaMonkey. The stability bugs have already been fixed in Firefox 3.0.9, Thunderbird 184.108.40.206 and SeaMonkey 1.1.16.
March was a busy month for Firefox; during the same period, Mozilla created a patch for a zero-day vulnerability in the Firefox Web browser, after an attack code for a Firefox flaw ended up published on a number of security sites. In that instance, the attack code took advantage of an Extensible Stylesheet Language (XSL) parsing “root” XML tag remote memory corruption vulnerability, potentially opening a system to a software install without the user’s consent
A Mozilla update also plugged eight security holes, six of them critical, in Firefox 3.07.
A report by Secunia found that Mozilla Firefox had more vulnerabilities than Internet Explorer, Apple Safari and other Web browsers in 2008, although Mozilla has been faster than Microsoft to patch vulnerabilities disclosed publicly without prior vendor notification.
According to Secunia’s research, Firefox had 115 security vulnerabilities uncovered in 2008.
Since its original release in 2004, Firefox has grown to become the second-most popular Web browser in the United States, with regard to market share, after Microsoft Internet Explorer. It maintains a lead over Apple Safari and Google Chrome.