Sep 8, 2010 07:38 GMT  ·  By

Mozilla has released version 3.6.9 of its popular Firefox Web browser in order to address numerous security issues, many of which are rated as critical.

In total, ten of the security advisories bear the critical impact key, but the actual number of patched vulnerabilities is higher since one of them covers "several memory safety bugs in the browser engine."

By Mozilla standards critical means that the flaw can be exploited remotely by attackers to execute arbitrary code on targeted systems.

This update also fixes a weakness, which exposed the browser to attacks leveraging a Windows design flaw known as binary planting or DLL hijacking.

The vulnerability affects hundreds of applications and stems from the way Windows searches for DLL files to load when no absolute path is specified.

"Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. "An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed," is explained in the Mozilla security advisory.

Two cross-site scripting (XSS) vulnerabilities discovered in separate components, one rated as high and one as moderate, have also been addressed.

Two other fixed flaws are rated as low, but one of them actually has a critical impact on older products based on Gecko 1.9.1, like Firefox 3.5, where it allows for remote code execution.

The new Firefox 3.6.9 also adds support for for the X-FRAME-OPTIONS HTTP response header, which can be used by webmasters to prevent clickjacking (UI redressing) attacks.

Firefox 3.6.9 for Windows can be downloaded from here.

Firefox 3.6.9 for Mac can be downloaded from here.

Firefox 3.6.9 for Linux can be downloaded from here.