Mozilla released a hefty security update Tuesday, fixing several flaws digital miscreants could exploit in Firefox, SeaMonkey and Thunderbird to bypass security programs, access sensitive information and launch cross-site scripting attacks.
Ultimately, the attacker could take complete control of the targeted machine. Mozilla urged users to upgrade to Firefox versions 18.104.22.168 or 22.214.171.124. The latter version is for those who recently upgraded to Firefox 2.0.
According to the Mozilla bulletins, the vulnerabilities are:
- An error that occurs when the CPU's floating point precision is reduced. This could happen on Windows machines when the user loads a plug-in creating a Direct3D device. Doing so could prevent the "js_dtoa()" function from exiting, leading to memory corruption.
- A Windows bitmap boundary error attackers could exploit to cause a heap-based buffer overflow.
- An error in LiveConnect that causes an already freed object to be used. Attackers could exploit this to launch malicious code.
- An error in how SVG comment objects are handled. Attackers could exploit this to corrupt system memory and launch malicious code.
- A condition in which the "Feed Preview" feature of Firefox 2.0 may leak feed-browsing habits to Web sites when retrieving the icons of installed Web-based feed viewers.
- A function prototype regression in Firefox 2.0 attackers could exploit to launch malicious HTML and script code in a user's browser session.