Firefox Update Patches Critical Security Flaws
Mozilla has pushed out a new version of Firefox with fixes for a number of security flaws, two of which were rated as critical. The new version also includes some accessibility improvements.
If you’re running Firefox 3, you should download this update now. At the moment, you’ll need to grab it by hand from the Mozilla site. According to Mozilla, there’s no evidence that either flaw has been exploited in the wild, but we recommend upgrading just to be on the safe side. Otherwise, Firefox’s auto-update feature should kick in within a few days and prompt users to install the latest version of the browser.
The update brings Firefox to version 3.0.2 and patches two critical security flaws: a memory corruption bug and a privilege escalation bug, which involved the XPCnativeWrapper component of Firefox. This privilege escalation bug is of particular note, as an attacker could use the exploit to run scripts inside your browser. Users running NoScript, or those surfing with JavaScript turned off aren’t likely to find themselves compromised, but this update contains a good number of fixes, so we’d recommend downloading it anyway. For a complete list of all the bug fixes, see Mozilla’s release notes.
If you haven’t made the leap to Firefox 3, be aware that the same two critical flaws affect Firefox 2, and Mozilla has released Firefox 2.0.0.17 as well. The Thunderbird e-mail client uses the same page-rendering engine as Firefox, and it could be exposed to the same vulnerabilities if JavaScript is enabled in e-mail. Mozilla strongly discourages users from reading e-mail with JavaScript enabled, and it’s not a default setting.
The latest version of Firefox 3 also includes a couple of significant accessibility improvements — Firefox 3.0.2 is now compatible with JAWS 7.10 and should also work with the JAWS 10 beta. For more details check out Marco Zehe’s accessibility blog.
See Also:
