Users are advised to upgrade to 3.6.7

Jul 21, 2010 10:55 GMT  ·  By

Mozilla has released Firefox 3.6.7, an update which addresses several security and stability issues. In total, eight critical, two high and four moderate security advisories were issued along with the new version of the popular browser.

According to Mozilla's severity rating system, vulnerabilities marked as critical allow attackers to execute arbitrary code remotely in a manner that is transparent to users. Even though there are eight security advisories marked as critical for this release, the number of critical bugs fixed is actually larger, because one advisory refers to several issues that could lead to memory corruption.

It is also noteworthy that five of the bugs were reported through TippingPoint's Zero Day Initiative (ZDI) program, where researchers are paid for discovered vulnerabilities. Another two critical bugs were found and reported by a Mozilla security researcher going by the online handle of moz_bug_r_a4. The “Mozilla developers and community” are credited with finding the issues in the collective advisory.

The final critical bug was actually located in libpng, a third-party developed reference library for processing PNG files. This vulnerability was found by a security researcher named Aki Helin and was patched in the latest version of libpng released at the end of June. However, since Firefox uses a private build of the library, Mozilla had to develop a patch of its own.

The two high severity issues, consist of a vulnerability, which can be leveraged to bypass the same-origin restrictions placed on a canvas element and read data from a different website, and a similar cross-origin data disclosure flaw bypassing the same-origin policy of JavaScript.

The four moderate advisories refer to vulnerabilities that can have a critical or high impact, but require special conditions to be exploited. One of them refers to two methods of spoofing the address displayed in the location bar, an attack that could prove very valuable for phishers. Another one allows for cross-domain data theft via CSS.

Users are strongly advised to upgrade to the new Firefox version immediately. People who haven't yet received the automatic update notification can manually trigger it by accessing Tools > Check for Updates from the browser's menu bar.

The Firefox 3.6.7 stand-alone installer for Windows can be downloaded from here.

The Firefox 3.6.7 stand-alone installer for Mac can be downloaded from here.

The Firefox 3.6.7 stand-alone installer for Linux can be downloaded from here.

You can follow the editor on Twitter @lconstantin