The Firefox browser has been updated for four security flaws, three of which were rated as “critical,” according to Mozilla.
“Mozilla has released a security advisory to address multiple vulnerabilities,” an advisory from US-CERT said. “These vulnerabilities may allow an attacker to execute arbitrary code, mislead users by spoofing a URL, or cause a denial-of-service.”
Another update from Mozilla addressed problems in an older version of Firefox (3.0.14).
In a post on the Mozilla blog, Nicole Loux, who is "public relations practitioner and messaging masseuse" for Mozilla, encouraged users to upgrade immediately.
“We strongly recommend that all Firefox users upgrade to this latest release,” she wrote. “If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours.”
The three “critical” vulnerabilities fixed in the new 3.3.3 version included a chrome privilege-escalation bug, which could be leveraged to run JavaScript code from web content with elevated privileges, and a vulnerability in which the columns of an XML User Interface Language tree element could be manipulated. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer.
Multiple errors in the browser and JavaScript engines were corrected so as to prevent crashes with memory corruption. Under certain circumstances, successful exploitation could permit a hacker to execute arbitrary code.
With the updates, users will be notified if they are running a vulnerable version of the Adobe Flash Player, enabling them to avoid crashes, stability issues and other security problems.
The new versions of Firefox 3.5.3 can be downloaded here.
