Mozilla patches 10 security bugs in Firefox browser

Five of the flaws fixed in Firefox 3.5.6 are critical and include vulnerabilities located in the rendering and JavaScript engines

Mozilla yesterday patched 10 bugs in Firefox, half of them critical, in the browser's rendering and JavaScript engines, media and video libraries, and other components.

Firefox 3.5.6, the browser's first security update since late October , fixed five flaws rated critical by Mozilla, one tagged as high, three pegged as moderate, and one labeled as a low threat. The five critical vulnerabilities were located in the rendering and JavaScript engines, and in the "liboggplay" and "libtheora" media and video libraries.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in the advisory that spelled out the rendering and JavaScript engine flaws.

Three of the four vulnerabilities outlined in MFSA-2009-065 generate browser crashes, while the last affects the TraceMonkey JavaScript engine that debuted in Firefox 3.5. Mozilla recommended users disable JavaScript in Firefox if they were unable to immediately patch the browser.

Firefox 3.0, which Mozilla will retire from security support next month, was also updated Tuesday with the release of version 3.0.16. The older browser received seven patches, just two of them marked critical.

The disparity between the versions' patch counts was due to several that affected only the newer Firefox 3.5, including the two critical bugs in the code libraries, and two of the engine vulnerabilities.

Tuesday's updates came just days before Mozilla is to release the fifth beta of Firefox 3.6, a minor update once set to ship before the end of the year, but that increasingly looks like it might straggle into 2010.

In fact, Mozilla sounded uncertain Monday whether it would actually deliver Beta 5. "Beta 5 builds are being tested by QA now, targeting a Thursday release unless we get to RC [Release Candidate] first," notes from a weekly status meeting stated. "We are really, really close to being code-complete & only need 8 more patches, and a TraceMonkey merge. If we can go to build today or tomorrow, QA will scrap Beta 5 and we'll release RC to the beta audience ASAP."

Mozilla last updated Firefox 3.6 three weeks ago, when it issued Beta 4 .

According to Web metrics company Net Applications, Firefox accounted for about 25 percent of all browsers used during the month of November. Over the past week, however, Firefox's usage share slipped slightly as users turned instead to Google's Chrome, which reached beta status for Mac and Linux on Dec. 8.

Firefox 3.5.6 and 3.0.16 can be downloaded now for Windows, Mac OS X and Linux from the Mozilla site. Current Firefox users can instead call up the browsers' update tools, or wait for automatic update notifications to appear in the next 48 hours.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter @gkeizer , send e-mail at gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed? .

This story, "Mozilla patches 10 security bugs in Firefox browser" was originally published by Computerworld.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies