Version 2.0.0.14 of the Firefox web browser has been released by the Mozilla organisation. The update closes a security hole that developers opened up when patching a previously identified bug. Apple has also released an update for Safari that fixes four security vulnerabilities in the browser for Windows and Mac OS X. Attackers were able to use crafted websites to install trojans that could spoof the address bar or execute cross-site scripting attacks.
The vulnerabilities described in Mozilla security advisory MFSA2008-20 affect the javascript Garbage Collector. Apparently it could crash after the changes made to patch the holes published in security advisory MFSA2008-15 (browser crash with memory corruption). As a result, malicious code could be injected and executed, though there was no demonstration of an exploit in this case, unlike similar situations in the past.
Two of the vulnerabilities in Safari only affect the Windows version, the other two apparently affect both Mac OS X and Windows. Under Windows, file downloads with maliciously crafted names could crash the computer or allow injected program code to be executed. In addition, web sites could change the content of the address bar without loading the site indicated – the Apple developers had already remedied the flaw in Safari Beta 3.0.2, but it was apparently reinserted in 3.1