Mozilla discloses six security flaws

The most serious of the half-dozen vulnerabilities is a "critical" flaw in Firefox, Thunderbird and SeaMonkey that can allow crashes if exploited. Mozilla’s investigators have presumed the flaw to allow arbitrary code, according to an advisory.

The organization also advised users to disable JavaScript in Thunderbird or the mail portions of SeaMonkey.

Mozilla credited its developers and security community with reporting the flaw.

All disclosed flaws were fixed in Firefox versions 2.0.0.4 and 1.5.0.12, Thunderbird 2.0.0.4 and 1.5.0.12 and SeaMonkey 1.0.9 and 1.1.2.

Mozilla also warned of a "high" impact cross-site scripting bug in Firefox that could be used to inject malicious code onto a victimised site. Users were advised to disable JavaScript until a fixed version can be installed.

The Mountain View, Calif.-based organization also fixed a "moderate" security vulnerability in Thunderbird and SeaMonkey APOP Authentication, as well as three "low" impact vulnerabilities in XUL Popup Spoofing, cookie handling and form autocomplete.

A Mozilla representative could not immediately be reached for comment.

Amol Sarwate, director of Qualys’ vulnerability research lab, told SCMagazine.com that Mozilla has done well in ranking the flaws’ risk.

"I think that Mozilla did a pretty good job in categorising the vulnerabilities," he said. "The first [a memory corruption flaw] is definitely critical because there are a large number of malicious websites that can use a vulnerability like this to get [malicious code] on to your machine."

FrSIRT ranked the six flaws as "critical" in an advisory released Wednesday.

Secunia cited four of the vulnerabilities in an advisory released today, raking them "highly critical."

The fixes mark the last release for Firefox version 1.5, for which support ended this week, according to the Mozilla Developer Center site. Firefox 1.5.12 contains a component that can automatically upgrade users to version 2.0 of the alternative browser.

Earlier this week, a University of Indiana graduate student said on his blog that a flaw exists in browser extensions that could be exploited by malicious users. The add-on bug was found in the "upgrade mechanism" used in Firefox extensions.

Many of the third-parties who provide the extensions, such as Yahoo, Google and Facebook, have been notified of the bug but have yet to provide a patch.

Mozilla patched three flaws in two March releases.

disclosesflawsmozillasecuritysix