The Mozilla Foundation posted a “critical” security advisory on April 21, stating that crashes of certain Mozilla products had revealed evidence of memory corruption under certain circumstances. Mozilla cautions that this corruption could be exploited to run arbitrary code.
The affected Mozilla products included Firefox, Thunderbird and SeaMonkey. The stability bugs have already been fixed in Firefox 3.0.9, Thunderbird 2.0.0.22 and SeaMonkey 1.1.16.
“Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail,” Mozilla developers wrote in the advisory. “This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images.”
As a workaround to this issue, the developers suggested disabling JavaScript until a version “containing these fixes can be installed.”
The advisory references crashes in the Firefox 3 browser and JavaScript engine, with crashes affecting Firefox 2 in certain instances as well.
On March 12, Mozilla released Firefox 3.1 beta 3 Web browser for developer evaluation and feedback. Beta 3 is based on the Gecko 1.9.1 rendering platform and supposedly features improvements to Web worker thread support, increased stability with the TraceMonkey JavaScript engine, native JSON support, and support for <video> and <audio> elements. The Foundation claimed that the beta release was stable.
March was a busy month for Firefox; during the same period, Mozilla created a patch for a zero-day vulnerability in the Firefox Web browser, after an attack code for a Firefox flaw ended up published on a number of security sites. In that instance, the attack code took advantage of an Extensible Stylesheet Language (XSL) parsing “root” XML tag remote memory corruption vulnerability, potentially opening a system to a software install without the user’s consent
A Mozilla update also plugged eight security holes, six of them critical, in Firefox 3.07.
A report by Secunia found that Mozilla Firefox had more vulnerabilities than Internet Explorer, Apple Safari and other Web browsers in 2008, although Mozilla has been faster than Microsoft to patch vulnerabilities disclosed publicly without prior vendor notification.
According to Secunia’s research, Firefox had 115 security vulnerabilities uncovered in 2008.
Since its original release in 2004, Firefox has grown to become the second-most popular Web browser in the United States, with regard to market share, after Microsoft Internet Explorer. It maintains a lead over Apple Safari and Google Chrome.