Firefox 3.5.6 closes a number of “critical” flaws, which could allow an attacker to crash a victim's browser or run arbitrary code on an affected computer. This is the first time Firefox has been updated for security since late October.
Of the seven security bulletins released by Mozilla as part of the update, one listed as critical addresses several stability bugs in the browser engine used in Firefox that could cause a crash.
“Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code,” Mozilla said in its bulletin.
The two other critical bulletins address bugs in the browsers “libtheora” video library and “liboggplay” media library. An integer overflow vulnerability in the video library could be exploited by an attacker who uses a specially crafted video to cause a crash, run arbitrary code or initiate a denial-of-service attack. Several bugs in the liboggplay” media library caused memory safety issues.
The update also closes another vulnerability rated “high” in severity, three "moderate" and one rated "low."
Also on Tuesday, Mozilla released an update for Firefox 3.0, which address all the vulnerabilities in version 3.5 except those in the media or video library because audio and video capabilities were not added until the latest iteration of the browser.
Mozilla plans to only provide security and stability updates for version 3.0 until next month, so users are encouraged to update to Firefox 3.5.