Mozilla on Tuesday patched 15 vulnerabilities in Firefox, 11 of them labeled critical.
One of yesterday's patches addressed a problem found in scores of Windows applications, making Firefox one of the first browsers to be patched against the DLL load hijacking bug that went public three weeks ago.
[ Microsoft has released a tool it says will block DLL load hijacking attacks. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Nearly three-quarters of the vulnerabilities in Firefox 3.6 were rated "critical," Mozilla's highest threat ranking, representing bugs that hackers may be able to use to compromise a system running Firefox, then plant other malware on the machine. Of the remaining flaws, two were pegged as "high" and one each was judged "moderate" and "low."
Four of the vulnerabilities were reported to Mozilla by HP TippingPoint's Zero Day Initiative (ZDI), the largest commercial bug bounty program, while another was handed to Mozilla's developers by David Huang and Collin Jackson, of Carnegie Mellon University's Silicon Valley-based CyLab.
Jackson and Huang were two of the three Carnegie Mellon researchers who recently published a paper on CSS cross-origin theft, a topic that made news last week when a Google security engineer demonstrated how a Twitter account could be appropriated by hackers by targeting Microsoft's Internet Explorer.
But the most notable fix of the 15 was the one that patched Firefox's DLL load hijacking bug.
Last month, HD Moore, chief security officer at Rapid7, announced that several dozen Windows programs were flawed because they call code libraries -- dubbed "dynamic-link libraries," or "DLLs" -- using only a filename instead of a full pathname, giving hackers a way to commandeer a PC by tricking the application into loading a malicious file with the same name as the required DLL.
Other researchers later estimated that more than 200 different programs could be exploited, including Firefox and other browsers from Google, Opera, and Apple.
Apple patched Safari's DLL load hijacking vulnerability on Tuesday around the same time that Mozilla released Firefox 3.6.9.