Mozilla issued an update to its Firefox browser, plugging a number of critical flaws in browser processes that could be exploited by an attacker to gain access to sensitive data.
In bulletin MFSA 2008-42, holes in the browser's graphics and image rendering engines were repaired. Mozilla said the flaws "showed evidence of memory corruption under certain circumstances." The bulletin was rated critical.
Bulletin MFSA 2008-41 addresses a series of vulnerabilities that could be exploited "to pollute XPCNativeWrappers and have arbitrary code run with chrome privileges," Mozilla said. The bulletin was also rated critical.
The French Security Incident Response Team (FrSIRT) warned in its advisory that the vulnerabilities could be exploited by attackers to "bypass security restrictions, disclose sensitive information, cause a denial of service or take complete control of an affected system." FrSIRT identified 10 flaws that could be exploited by an attacker.
In two bulletins rated moderate, Mozilla addressed several flaws which allowed a directory traversal on Linux and an error that allowed the restrictions imposed on local HTML files to be bypassed. The error could let an attacker read information about a system, Mozilla said.
A click-hijacking vulnerability was also repaired. The vulnerability had potential to allow an attacker to trick a user into downloading a file or perform other drag-and-drop actions, Mozilla said.
Danish vulnerability clearinghouse Secunia rated the Mozilla update "highly critical." In its advisory, Secunia said the combination of vulnerabilities could allow an attacker to execute arbitrary code.