Mozilla Patches Critical Bugs in Firefox, Thunderbird

The open-source group releases a batch of highly critical updates for the Firefox, Thunderbird and SeaMonkey products.

Its a bumper patch day in Mozilla land.

The open-source foundation released a batch of highly critical updates for the Firefox, Thunderbird and SeaMonkey brands and warned that unpatched users face the risk of PC takeover attacks.

The Firefox update applies to Firefox 1.5x and does not affect the newer Firefox 2.0 version. Mozilla says Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. After that, support will only be extended to Firefox 2 users.

The latest patch covers a trio of "highly critical" bugs that could cause security bypass, cross-site scripting, system access and denial-of-service attacks.

The Firefox rollout also corrects an RSA signature forgery bug that was not completely fixed in an earlier patch.

Mozilla said that during the creation of Firefox, developers fixed several bugs to improve the stability of the product and found that some of the crashes showed evidence of memory corruption. "We presume that at least some of these could be exploited to run arbitrary code with enough effort," the group said in the release notes.

Because the Thunderbird mail client shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail, Mozilla is strongly urging users to stop running JavaScript in mail.

"Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images or plugin data," the group warned.

The Firefox update also addresses an error within the handling of Script objects. This can potentially be exploited to execute arbitrary JavaScript bytecode by modifying already-running Script objects.

An unspecified error within XML.prototype.hasOwnProperty can potentially be exploited to execute arbitrary code, Mozilla officials said.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.