Mozilla Fixes 16 Firefox Holes, Updates SeaMonkey
The latest version of Firefox, 3.5.4, addresses a slew of errors found in various components, including JavaScript and browser engines, the GIF color map printer, number converter, and various third party libraries, affecting different versions of Microsoft Windows, Mac OS X, Linux and Unix systems.
If left unfixed, many of the critical Firefox vulnerabilities could pave the way for hackers to launch remote code execution attacks exploiting the popular Web browser by tricking users into clicking on a malicious link or viewing an infected Web page, as well as enticing them to download a malicious file while running the FireFox Web browser-- typically through some type of social engineering scheme.
The Firefox update repaired gaping memory holes in JavaScript, including a fix for a buffer overflow vulnerability in Mozilla's string to floating point number conversions. The vulnerability could open the door for hackers to launch arbitrary code attacks by crafting malicious JavaScript code containing an extra-long string converted to a floating point number that could result in memory glitches.
Mozilla also addressed safety and stability errors in several third party libraries used in media rendering, which could be exploited by remote attackers to crash a victim's browser or launch information-stealing code on their computer, presumably for identity theft activities.
For both errors, Mozilla recommended that users disable JavaScript until they are able to install an updated version of Firefox.
The update also repaired several stability bugs in the browser engine that could lead to system crashes while enabling attackers to execute malicious code exploiting the flaw.
"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," according to the security advisory on the Mozilla Web site.
Also repaired in the Firefox update was a buffer overflow error in Mozilla's GIF image parser, which could also be used by attackers to crash a victim's browser and execute malicious code remotely.
In addition, Mozilla plugged chrome privilege escalation holes in XPCVariant, which could allow attackers to execute malicious JavaScript code with chrome privileges.
Meanwhile, the new version 2.0 of SeaMonkey, Mozilla's open source Internet suite, was released with the same internal platform as Firefox 3.5.4, giving the suite similar features such as user profiles, add-ons and user interface.
Altogether, the SeaMonkey update included a new add-on manager, which allows users to easily install, update, disable and remove plug-ins.
SeaMonkey 2.0 also stores its history in a better database designed to store more information, while the location bar touts a smarter algorithm to better determine what users are typing.
Mozilla also gave its cross-platform suite a new session restore function designed to restore windows and tabs automatically in the event of a system crash. Version 2.0 also includes updated and fully customizable toolbars, an improved cookie manager, a new form manager and new tabbed mail features, along with new IMAP accounts touting improved speed.