Its a bumper patch day in Mozilla land.
The open-source foundation released a batch of highly critical updates for the Firefox, Thunderbird and SeaMonkey brands and warned that unpatched users face the risk of PC takeover attacks.
The Firefox update applies to Firefox 1.5x and does not affect the newer Firefox 2.0 version. Mozilla says Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. After that, support will only be extended to Firefox 2 users.
The latest patch covers a trio of “highly critical” bugs that could cause security bypass, cross-site scripting, system access and denial-of-service attacks.
The Firefox 184.108.40.206 rollout also corrects an RSA signature forgery bug that was not completely fixed in an earlier patch.
Mozilla said that during the creation of Firefox 220.127.116.11, developers fixed several bugs to improve the stability of the product and found that some of the crashes showed evidence of memory corruption. “We presume that at least some of these could be exploited to run arbitrary code with enough effort,” the group said in the release notes.
An unspecified error within XML.prototype.hasOwnProperty can potentially be exploited to execute arbitrary code, Mozilla officials said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.