Mozilla patches highly critical security flaws

Open-source software developer releases an update that addresses vulnerabilities of users' sensitive information in Firefox, Thunderbird, and SeaMonkey.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
2 min read

Mozilla has released updates to its popular Firefox browser, its Thunderbird e-mail client, and its SeaMonkey application suite, aiming to address highly critical security flaws that could expose users' sensitive information.

Users are advised to update to version 3.0.5 of Firefox, which was released Tuesday. They are also advised to update to version of Thunderbird and version 1.1.14 of SeaMonkey.

The vulnerabilities were found in earlier versions of Firefox 3, as well as in versions of Firefox 2.

According to a research note released Wednesday by security researcher Secunia:

Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system.

  1. Errors in the layout and JavaScript engines can be exploited to corrupt memory and potentially execute arbitrary code.
  2. An error when processing the "persist" XUL attribute can be exploited to bypass cookie settings and uniquely identify a user in subsequent browsing sessions.
  3. Multiple errors can be exploited to bypass the same-origin policy, disclose sensitive information, and execute JavaScript code with chrome privileges.

One advisory addresses critical security flaws in all three programs (Firefox, Thunderbird, and SeaMonkey) that could arise from memory corruption and result in malicious attackers launching arbitrary code from users computers.

Mozilla also notes that another set of critical vulnerabilities in all three could redirect users from a legitimate site to a malicious one, where users' private data could be stolen. And a third set of critical flaws noted in all three could lead to the launching of arbitrary JavaScript within a different Web site.