Apple, Mozilla Fix Critical Leaks In Browsers
On Wednesday, Mozilla issued a security advisory on the company Website alerting users that a security bug involving its Javascript Garbage Collector function by which specially-crafted Javascript code could cause memory corruption.
The company also warned that because Thunderbird, an email application, shares the browser engine with Firefox, that program could be vulnerable if JavaScript were to be enabled in mail. Mozilla warned users against running JavaScript in mail.
"This is being fixed primarily to address stability concerns," the advisory read. "We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past."
On the Apple side, the patch fixes two flaws in the Mac version of Safari and four flaws in the Windows version. For Windows systems running Safari, the patches fix vulnerabilities that hackers could exploit by remotely installing malware on the user's system.
Another patch involved a flaw in Safari's open source WebKit framework (which also powers some elements of Apple Mail and Dashboard applications) that could allow attackers the opportunity to write a cross-site scripting attack. This security hole also affects Safari's Mac users, where a maliciously crafted Web page may lead to an unexpected application termination or arbitrary code execution, according to Apple's advisory.
The WebKit patch, amongst other security issues, was a vulnerability discovered by security researcher Charlie Miller, who hacked a MacBook Air by exploiting an unknown vulnerability in Safari as part of the Hack-a-Mac contest at the CanSecWest security conference in Vancouver in March.