Mozilla patches 10 security bugs with Firefox 3.5.6

Mozilla yesterday patched 10 bugs in Firefox, half of them critical, in the browser's rendering and JavaScript engines, media and video libraries, and other components.

Firefox 3.5.6, the browser's first security update since late October, fixed five flaws rated critical by Mozilla, one tagged as high, three pegged as moderate, and one labeled as a low threat. The five critical vulnerabilities were located in the rendering and JavaScript engines, and in the "liboggplay" and "libtheora" media and video libraries.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in the advisory that spelled out the rendering and JavaScript engine flaws.

Three of the four vulnerabilities outlined in MFSA-2009-065 generate browser crashes, while the last affects the TraceMonkey JavaScript engine that debuted in Firefox 3.5. Mozilla recommended users disable JavaScript in Firefox if they were unable to immediately patch the browser.

Firefox 3.0, which Mozilla will retire from security support next month, was also updated Tuesday with the release of version 3.0.16. The older browser received seven patches, just two of them marked critical.

The disparity between the versions' patch counts was due to several that affected only the newer Firefox 3.5, including the two critical bugs in the code libraries, and two of the engine vulnerabilities.

Tuesday's updates came just days before Mozilla is to release the fifth beta of Firefox 3.6, a minor update once set to ship before the end of the year, but that increasingly looks like it might straggle into 2010.

In fact, Mozilla sounded uncertain Monday whether it would actually deliver Beta 5. "Beta 5 builds are being tested by QA now, targeting a Thursday release unless we get to RC [Release Candidate] first," notes from a weekly status meeting stated. "We are really, really close to being code-complete & only need 8 more patches, and a TraceMonkey merge. If we can go to build today or tomorrow, QA will scrap Beta 5 and we'll release RC to the beta audience ASAP."

Mozilla last updated Firefox 3.6 three weeks ago, when it issued Beta 4.

According to web metrics company Net Applications, Firefox accounted for about 25% of all browsers used during the month of November. Over the past week, however, Firefox's usage share slipped slightly as users turned instead to Google's Chrome, which reached beta status for Mac and Linux on December 8.

Firefox 3.5.6 and 3.0.16 can be downloaded now for Windows, Mac OS X and Linux from the Mozilla site. Current Firefox users can instead call up the browsers' update tools, or wait for automatic update notifications to appear in the next 48 hours.