Mozilla fixes critical flaws in Firefox 2.0, Thunderbird

Mozilla has fixed seven vulnerabilities in the latest release of Firefox — SeaMonkey and Thunderbird are also affected.

Mozilla recommends users disable JavaScript in Thunderbird for the two critical flaws — MFSA 2008-15 and MFSA 2008-14 — since the e-mail client shares the same browser engine as Firefox.

The first, MFSA 2008-15, is a memory corruption flaw and could allow an attacker to run arbitrary code. Mozilla has identified JavaScript errors as the source, however, it warns that an attacker could also use large image files to execute an attack.

MFSA 2008-14 meanwhile permits an attacker to force a browser to run JavaScript code to conduct cross-site scripting and arbitrary code execution.

The two critical vulnerabilities resolved in Firefox's 2.0.0.13 release also affect Thunderbird and Mozilla's e-mail application suite, SeaMonkey Mozilla has identified two other "high impact" flaws — MFSA 2008-19 and MFSA 2008-18 — which could allow an attacker to create false log-in prompts and discover a user's identity through SSL certificates.

"It was possible to have a background tab create a borderless XUL [Mozilla's SML user interface language] pop-up in front of the active tab in the user's browser. This technique could be used by an attacker to spoof form elements such as a log-in prompt for a site opened in a different tab and steal the user's login credentials for that site," Mozilla advised on its known vulnerabilities Web page.

.