| Mozilla issues Firefox, Thunderbird security patches |
Nov. 08, 2006
  Two weeks after the general release of Firefox 2.0, Mozilla Corp. on Nov. 8 released a group of "critical updates" aimed at improving security for its older Firefox web browser series (v1.5x), its Thunderbird email client, and its SeaMonkey web application suite.
Mozilla was in the process Nov. 8 of sending automatic updates to all Firefox 1.5.x users.
SeaMonkey, formerly the Mozilla Application Suite, includes a browser, advanced email and newsgroup client, IRC chat client, and HTML editor.
A Mozilla spokesperson said users of any of unpatched versions of any of the above software face the risk of hackers taking over their PCs by using security bypass, cross-site scripting, system access, and denial-of-service attacks.
The new patches cure a Firefox v1.5.0.8 vulnerability (an RSA signature forgery bug) that was not fixed in an earlier bugfix release, the spokesperson said.
Mozilla said that during the development of Firefox 1.5.0.8, developers fixed several bugs to improve the stability of the product and later found out that some of the crashes showed evidence of memory corruption.
"We presume that at least some of these could be exploited to run arbitrary code with enough effort," according to the release notes.
The Firefox update also fixes an error within the handling of scripting objects. This can potentially be exploited to execute arbitrary JavaScript bytecode by modifying already-running Script objects, the spokesperson said.
Since Thunderbird shares the Gecko browser engine with Firefox, it could be vulnerable if JavaScript were to be enabled in mail. Mozilla therefore strongly urged users to stop running JavaScript in mail.
Mozilla has said it will maintain Firefox 1.5.0.x with security and stability updates until April 24, 2007.
You can download the free-of-charge Firefox here, Thunderbird here, and SeaMonkey here.
Related Stories:
(Click here for further information)
|
|
|
|
|
|
|
|
