14 DAY TRIAL // Mozilla has released its new Firefox 5 browser, as well as updates for Thunderbird and the older Firefox 3.6 branch, which address critical security vulnerabilities.
A total of eight vulnerabilities were fixed in Firefox 5, five of which are rated as critical, two as moderate and one as low, in terms of severity.
One patch deals with various memory safety hazards identified by Mozilla developers, one patches a use-after-free vulnerability in XUL rendering, another an integer overflow issue in the Array.reduceRight(), while a fourth deals with a memory corruption caused by multipart/x-mixed-replace images.
Two WebGL crashes have also been patched. "One crash was the result of an out-of-bounds read and could be used to read data from other processes who had stored data in the GPU. The second crash was the result of an invalid write and could be used to execute arbitrary code," the advisory explains.
Microsoft recently said that the WebGL technology is harmful for security because it exposes a low-level attack surface to the web that hasn't been designed to withstand attacks. These exploitable crashes partially suggest that indeed WebGL can be a source for serious vulnerabilities.
A moderate WebGL issue that allows the stealing of cross-domain images using textures has also been patched in Firefox 5, along with a cross-site scripting flaw with inline SVG. Finally, the low-risk vulnerability addressed allows non-whitelisted sites to trigger xpinstall processes.
The newly released Firefox 3.6.18 patches four of the critical vulnerabilities also fixed in Firefox 5, but also addresses multiple dangling pointer vulnerabilities deemed critical and a moderate cookie isolation error.
Thunderbird 3.1.11 has also been released, but no security advisory has yet been published for it. However, given that it uses the same version of the Gecko engine as Firefox 3.6, some of the flaws patched in that branch are also probably fixed in the new email client version. The latest version of Mozilla Firefox for Windows can be downloaded here. The latest version of Mozilla Firefox for Mac can be downloaded here. The latest version of Mozilla Firefox for Linux can be downloaded here. The latest version of Mozila Thunderbird for Windows can be downloaded here. The latest version of Mozila Thunderbird for Mac can be downloaded here. The latest version of Mozila Thunderbird for Linux can be downloaded here.