This week, Mozilla patched seven vulnerabilities with the latest security update, available both with automatic updates and manual download from the company"s website, for Firefox 1.5.0.10 and Firefox 2.0.0.2. The security update was originally slated for a February 21 release but was pushed back to accommodate a fix for the location.hostname vulnerability. The vulnerability allows malicious Web sites to manipulate authentication cookies for third-party sites. "We strongly recommend that all Firefox users upgrade to this latest release. This update resolves the location.hostname vulnerability and other security and stability issues. Thanks to the work of our contributors, we have been able to address these issues quickly in order to minimize the security risk to Firefox users," said Mike Schroepfer, VP of engineering at Mozilla.
The open-source software maker is already working on another serious bug that Michal Zalewski, a Polish security researcher, described as a memory-corruption issue on his mailing list, Full Disclosure: "I noticed that Firefox is susceptible to a pretty nasty, and apparently easily exploitable memory corruption vulnerability. When a location transition occurs and the structure of a document is modified from within onUnload event handler, freed memory structures are left in inconsistent state, possibly leading to a remote compromise."