Firefox hit by multiple drive-by download flaws

Mozilla's flagship Firefox browser is vulnerable to at least 11 "critical" vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing.

The open-source group shipped Firefox 3.5.4 with patches for the vulnerabilities, which range from code execution risk to the theft of information in the browser's form history.

One of the critical issues affect media libraries introduced in Firefox 3.5 when audio and video capabilities were added.

Here's the skinny on the high-risk issues in this Mozilla Firefox patch batch:

• MFSA 2009-64 (Critical) -- Crashes with evidence of memory corruption.  Four different vulnerabilities were documented. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
• MFSA 2009-63 (Critical) -- Mozilla upgraded several third party libraries used in media rendering to address multiple memory safety and stability bugs identified by members of the Mozilla community. Some of the bugs discovered could potentially be used by an attacker to crash a victim's browser and execute arbitrary code on their computer. liboggz, libvorbis, and liboggplay were all upgraded to address these issues.  Three different vulnerabilities were documented.
• MFSA 2009-59 (Critical) -- A heap-based buffer overflow in Mozilla's string to floating point number conversion routines allows an  attacker to  craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer.
• MFSA 2009-57 (Critical) -- The XPCOM utility XPCVariant::VariantDataToJS unwrapped doubly-wrapped objects before returning them to chrome callers. This could result in chrome privileged code calling methods on an object which had previously been created or modified by web content, potentially executing malicious JavaScript code with chrome privileges.
• MFSA 2009-56 (Critical) -- A heap-based buffer overflow in Mozilla's GIF image parser. This vulnerability could potentially be used by an attacker to crash a victim's browser and run arbitrary code on their computer. This flaw does not affect products built on the Gecko 1.8 browser engine such as Thunderbird 2.
• MFSA 2009-54 (Critical) -- Recursive creation of JavaScript web-workers can be used to create a set of objects whose memory could be freed prior to their use. These conditions often result in a crash which could potentially be used by an attacker to run arbitrary code on a victim's computer. Web Workers were introduced in Firefox 3.5 so this vulnerability did not affect earlier releases such as Firefox 3.

The Firefox 3.5.4 update will be distributed via the browser's automatic update mechanism.  It should be deployed within the next 24 to 48 hours.  Alternatively, users can use the "Check for Updates" tool to manually apply the update.