Mozilla released six security advisories on Wednesday for flaws in its Firefox, SeaMonkey and Thunderbird programs.
The most serious of the half-dozen vulnerabilities is a "critical" flaw in Firefox, Thunderbird and SeaMonkey that can allow crashes if exploited. Mozilla’s investigators have presumed the flaw to allow arbitrary code, according to an advisory.
Mozilla credited its developers and security community with reporting the flaw.
All disclosed flaws were fixed in Firefox versions 184.108.40.206 and 220.127.116.11, Thunderbird 18.104.22.168 and 22.214.171.124 and SeaMonkey 1.0.9 and 1.1.2.
The Mountain View, Calif.-based organization also fixed a "moderate" security vulnerability in Thunderbird and SeaMonkey APOP Authentication, as well as three "low" impact vulnerabilities in XUL Popup Spoofing, cookie handling and form autocomplete.
Window Snyder, Mozilla chief security something-or-other, told SCMagazine.com that the organization’s first priority was to push out a patch for the critical crash-allowing flaw in Firefox, SeaMonkey and Thunderbird, rather than determining whether it can also allow arbitrary code.
"That’s the result of our testing…We fix it. We don’t spend time analyzing whether or not it’s exploitable," she said, adding that a release leads to a "more robust and stable" user experience.
Amol Sarwate, director of Qualys’ vulnerability research lab, told SCMagazine.com today that Mozilla has done well in ranking the flaws’ risk.
"I think that Mozilla did a pretty good job in categorizing the vulnerabilities," he said. "The first (a memory corruption flaw) is definitely critical because there are a large number of malicious websites that can use a vulnerability like this to get (malicious code) on to your machine."
The fixes mark the last release for Firefox version 1.5, for which support ended this week, according to the Mozilla Developer Center site. Firefox 1.5.12 contains a component that can automatically upgrade users to version 2.0 of the alternative browser.
Earlier this week, a University of Indiana graduate student said on his blog that a flaw exists in browser extensions that could be exploited by malicious users. The add-on bug was found in the "upgrade mechanism" used in Firefox extensions.
Mozilla patched three flaws in two March releases.
Get more IT security news. Click here for SC Magazine Blogs.