The most serious of the half-dozen vulnerabilities is a "critical" flaw in Firefox, Thunderbird and SeaMonkey that can allow crashes if exploited. Mozilla’s investigators have presumed the flaw to allow arbitrary code, according to an advisory.
Mozilla credited its developers and security community with reporting the flaw.
All disclosed flaws were fixed in Firefox versions 18.104.22.168 and 22.214.171.124, Thunderbird 126.96.36.199 and 188.8.131.52 and SeaMonkey 1.0.9 and 1.1.2.
The Mountain View, Calif.-based organization also fixed a "moderate" security vulnerability in Thunderbird and SeaMonkey APOP Authentication, as well as three "low" impact vulnerabilities in XUL Popup Spoofing, cookie handling and form autocomplete.
A Mozilla representative could not immediately be reached for comment.
Amol Sarwate, director of Qualys’ vulnerability research lab, told SCMagazine.com that Mozilla has done well in ranking the flaws’ risk.
"I think that Mozilla did a pretty good job in categorising the vulnerabilities," he said. "The first [a memory corruption flaw] is definitely critical because there are a large number of malicious websites that can use a vulnerability like this to get [malicious code] on to your machine."
FrSIRT ranked the six flaws as "critical" in an advisory released Wednesday.
Secunia cited four of the vulnerabilities in an advisory released today, raking them "highly critical."
The fixes mark the last release for Firefox version 1.5, for which support ended this week, according to the Mozilla Developer Center site. Firefox 1.5.12 contains a component that can automatically upgrade users to version 2.0 of the alternative browser.
Earlier this week, a University of Indiana graduate student said on his blog that a flaw exists in browser extensions that could be exploited by malicious users. The add-on bug was found in the "upgrade mechanism" used in Firefox extensions.
Many of the third-parties who provide the extensions, such as Yahoo, Google and Facebook, have been notified of the bug but have yet to provide a patch.
Mozilla patched three flaws in two March releases.
Mozilla discloses six security flaws
By Frank Washkuch on Jun 1, 2007 9:59AM