14 DAY TRIAL // Mozilla has released Firefox 6, the next version of its open source browser, addressing a number of critical vulnerabilities that can be exploited to compromise systems.
Several memory-related vulnerabilities affecting WebGL, JavaScript, Ogg reader and the browser engine itself, have been patched in this release.
"Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla writes in its advisory.
A issue where unsigned JavaScript can call scripting within a signed JAR, therefore inheriting its permissions, has been resolved.
A separate heap overflow vulnerability in the ANGLE library used by the WebGL implementation was also addressed, and so was a buffer overrun issue that could be triggered by an overly long WebGL shader program.
This kind of shader-based vulnerabilities were quoted by Microsoft as reason for not supporting the WebGL standard which exposes low-level graphic drivers to the Web.
Firefox 6 also fixes a critical dangling pointer vulnerability in the SVG text manipulation routine which was reported through TippingPoint's Zero Day Initiative program.
A high-risk information disclosure bug was identified and patched in Content Security Policy violation reports and so was a cross-domain issue with the Windows D2D hardware acceleration where image data from one domain could be inserted into a canvas and read by a different domain.
Firefox 6 is the second version from Mozilla's new rapid release cycle and Firefox 5 users should be silently updated to it. The release also contains several new features and other improvements that are not security-related.
The latest version of Mozilla Firefox for Windows can be downloaded from here. The latest version of Mozilla Firefox for Mac can be downloaded from here. The latest version of Mozilla Firefox for Linux can be downloaded from here.