Firefox suffers critical bugs

Mozilla has released fixes for five security holes in older versions of Firefox, while a security company has warned of a zero-day flaw in the latest version of the popular browser.

On Wednesday, Mozilla issued patches for versions 3.5.8 and 3.0.18 of the browser, sending out fixes for the latter even though it had said it would stop supporting Firefox 3.0 in January.

In its security bulletin, the company said the vulnerabilities had previously been resolved in Firefox 3.6, which was launched on 21 January.

The five flaws addressed by Mozilla included three the company rated 'critical'. These three flaws involve an error in handling out-of-memory conditions; stability errors in the Gecko rendering engine; and a bug in the way Mozilla's implementation of web workers handles posted messages, Mozilla said. Web workers are used to carry out scripting tasks in a way that reduces the processing load on the user interface.

All three of these bugs can potentially be used to execute malicious code and take over a user's system, Mozilla said.

The two remaining flaws are less serious, potentially allowing an attacker to execute malicious JavaScript code.

The security updates to Firefox 3.5.8 and 3.0.18 are available for Windows, Mac OS X and Linux from Mozilla's website or via the browser's built-in update system.

Separately, Secunia on Thursday reported an unpatched bug in Firefox 3.6, the most recent version of the browser. The security research firm warned that the software contains a bug that could be used to execute malicious code on a user's system.

The zero-day bug was released as part of VulnDisco Pack, an add-on module for Immunity's Canvas penetration-testing software, according to Secunia. VulnDisco Pack developer Intevydis did not release details on the bug, but Secunia ranked it 'highly critical'.