Mozilla is out this week with Firefox 3.5.9 and 3.0.19 updates, fixing multiple security vulnerabilities in the open source Web browser’s two branches, while announcing that the older of the two branches is being phased out.
As part of the update, Mozilla also issued new advisories on problems that also impact Firefox 3.6.2 browser, which it released last week, in addition to the 3.5.x and 3.0.x browsers.
With the 3.0.19 update, Mozilla is pledging to end the 3.0.x branch, which first debuted in June 2008.
“This is the last planned security and stability release for Firefox 3.0,” said Christian Legnitto, Mozilla’s new release driver for security and stability releases. Legnitto joined Mozilla earlier this month after a previous stint working at Apple, where he worked on stability and security releases for Mac OS X.
Among the fixes in the Firefox 3.5.9 and 3.0.19 updates are five that Mozilla identifies as being “critical,” four of which it also fixed in Firefox 3.6. At the time of the Firefox 3.6.2 release, Mozilla only issued one advisory for an issue that had affected only that particular browser.
For all three browsers, the updates include a fix for crashes with evidence of memory corruption, a commonly fixed item in Firefox releases.
Also being addressed in two of the branch updates is a remote code execution issue, whereby XUL
“Security researcher ‘regenrecht’ reported via TippingPoint’s Zero Day Initiative that a select event handler for XUL tree items could be called after the tree item was deleted,” Mozilla stated in its advisory. “This results in the execution of previously freed memory which an attacker could use to crash a victim’s browser and run arbitrary code on the victim’s computer.”
There are also fixes for a pair of dangling pointer vulnerabilities, which occur when a pointer
Lastly, Mozilla is providing a fix for a privilege escalation issue in the browser.
Locking down new Web browser threats
Mozilla is now also working on a number of other security fixes including one that potentially exists in every major browser currently shipping. All major browsers include a CSS
“We have to be realistic, though: there are many ways all browsers leak information about you, and fixing CSS history sniffing will not block all of these leaks” Mozilla wrote in a blog post. “But we believe it’s important to stop the scariest, most effective history attacks any way we can since it will be a big win for users’ privacy.”