Extremely Critical Security Updates Released for Firefox and Thunderbird

Mozilla has released security updates from Firefox, Thunderbird and SeaMonkey in order to address a critical vulnerability already exploited in the wild to infect users with malware.

The vulnerability, identified as CVE-2010-3765, was reported by Morten Kråkvik from the security division (SOC) of Norwegian telecommunication company Telenor.

The flaw was exploited in a drive-by download attack launched from the compromised nobelpeaceprize.org, the website of the Nobel Peace Prize.

According to Mozilla's advisory, this security issue affected Firefox 3.5 and 3.6 on all operating systems and was addressed in the newly released Firefox 3.5.15 and 3.6.12.

As we previously reported, vulnerability research company Secunia, rated this issue as extremely critical, it's highest criticality ranking for a vulnerability.

Updates for Thunderbird and SeaMonkey, Mozilla's Internet suite, have also been released, however, the attack surface is smaller in Thunderbird.

"Reading mail in Thunderbird does not pose a risk to users, however the vulnerability is present and could be triggered in RSS feeds if JavaScript is enabled or by an add-on that enables browser-like functionality," Mozilla explains.

Last week, when Thunderbird 3.1.5 and 3.0.9 were released, developers announced that the next 3.0.10 version will be the last in the 3.0 branch. However, they probably weren't expecting this flaw to hit.

Mozilla should be commended for reacting so quickly to a dangerous zero-day vulnerability. This issue was reported to the Firefox developers on Monday evening, hours after it was identified in the wild.

By Tuesday evening a patch was already being tested and yesterday the fixed versions were pushed out to users.

"Thanks to Mozilla’s industry-leading open security process the fix has been created, tested, and released to users within 48 hours of first notification about the vulnerability," Mozilla writes on its developer center blog.

If you haven't yet received the update notification, you can trigger it by going to Help > Check for Updates or you can download and install the new version manually.


The latest version of Mozilla Firefox for Windows can be downloaded here.

The latest version of Mozilla Firefox for Mac can be downloaded here.

The latest version of Mozilla Firefox for Linux can be downloaded here.


The latest version of Mozila Thunderbird for Windows can be downloaded here.

The latest version of Mozila Thunderbird for Mac can be downloaded here.

The latest version of Mozila Thunderbird for Linux can be downloaded here.


The latest version of Mozila SeaMonkey for Windows can be downloaded here.

The latest version of Mozila SeaMonkey for Mac can be downloaded here.

The latest version of Mozila SeaMonkey for Linux can be downloaded here.