Mozilla Corporation fixed six vulnerabilities in its Firefox browser, the third time the open-source developer has updated Firefox in 2007. The updates bring the current browser to Version 2.0.0.4, and the 2005 edition to 1.5.0.12. Mozilla also reiterated that today"s patches would be Firefox 1.5"s last, and said that an update to Firefox 2.0.0.4 would be offered to its users "over the coming weeks."
MFSA 2007-12, the most serious of the six, patched 30 separate memory corruption bugs in the browser layout and JavaScript engines. Even Mozilla seemed unsure of their impact. "Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," the advisory read. Mozilla warned that Thunderbird and SeaMonkey, which shares Firefox"s layout engine, may be vulnerable to these bugs as well and recommended that users do not enable JavaScript in Thunderbird or the mail portion of SeaMonkey.
The update also fixed a pop-up bug that could be used to mask parts of the browser, such as the address bar; a cross-site scripting vulnerability; a problem with how the browsers handle cookies; and a flaw that could let attackers crash Firefox using its autocomplete feature.