Mozilla Foundation issued updates to Firefox repairing flaws that could allow cybercriminals to conduct URL spoofing attacks and other errors that could potentially expose sensitive information.
All five advisories were issued Wednesday, including three updates labeled critical. Firefox version 3.0.7 addresses critical flaws in the browser's PNG library. The library is used by Mozilla to display compressed PNG graphics files. The flaws could be used by an attacker to crash the browser and execute arbitrary code. In order for the flaws to be exploited, a user must browse to a malicious website, Mozilla said.
Mozilla fixed an error allowing a hacker to decode control characters in the location bar. If exploited, the attacker could display a misleading URL to a malicious Web page in the browser bar and steal sensitive data from users such as passwords and account information.
Critical stability flaws were also repaired in the browser engine. The bugs, which caused Firefox to crash, showed evidence of memory corruption.
"We presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said.
In addition, a browser error that could allow an attacker to steal XML data from another domain was plugged, Mozilla said. A malicious website could allow an attacker to steal private data from users authenticated to the redirected website.