Mozilla patches critical Firefox flaws

Mozilla issued 10 patches on Friday for its Firefox browser, including three for critical vulnerabilities. The latest version of Firefox is now 2.0.0.12.

One of the critical vulnerabilities, MFSA 2008-06, is a problem in the way the browser handles images on certain Web pages.

It's possible to exploit the flaw to steal a person's Web browsing history, forward that information, then crash the browser. It may also be possible to run arbitrary code on a machine, Mozilla said.

A second critical vulnerability can enable a privilege escalation attack or remote code execution.

The last critical problem involves a memory corruption flaw that "we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said.

Also notable is a fix for a problem with Mozilla's "chrome" protocol, which is the term Mozilla uses for its user interface. The problem involves some of Firefox's add-ons, or applications that users can download to extend browser functionality.

The vulnerability would let an attacker determine what applications are installed on a person's PC, which could give clues to how the machine could be compromised, Mozilla said. However, a victim would have to be lured to a special malicious Web page designed to take advantage of the flaw.