Mozilla fixes Firefox with new release

Mozilla fixes Firefox with new release. (IMG:J.Anderson)

Mozilla has released an update for Firefox that addresses three critical and two moderate security issues. One interesting note is that Tuesday’s patch releases from Mozilla extend Firefox 3.0.x’s shelf life for at least another month, as the patches will move that branch up to 3.0.18.
Firefox versions 3.5.8 and 3.0.18 address three critical flaws in the browser’s rendering engine, including one that centers on the HTML phaser and the fact that it incorrectly frees used memory when insufficient space was available to process remaining input.
“Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called,” Mozilla noted when discussing the flaw in an advisory.
The other critical flaws deal with potential code execution, due to browser crashes. One such crash was reported in Mozilla's implementation of Web Worker. Web Worker contained an error in the way it handled array data types when processing posted messages. If exploited, an attacker can “corrupt heap memory and crash the browser, potentially running arbitrary code on a victim's computer,” Mozilla said.
Two Cross Site Scripting (XSS) flaws were also addressed in Tuesday’s updates, one of which, according to an advisory, was reported by a researcher working for Microsoft.
For those using Firefox 3.6, you have no need to worry about updates. The flaws fixed on Tuesday were already corrected when Mozilla released it in January.
Security details are here.. Most users should have the proper patch thanks to the update system; it can also be downloaded from the Firefox website.