Mozilla fixes critical Firefox, Thunderbird flaws

Mozilla has fixed seven vulnerabilities in the latest release of Firefox, with SeaMonkey and Thunderbird also affected.

Mozilla recommends users disable JavaScript in Thunderbird for the two critical flaws — MFSA 2008-15 and MFSA 2008-14 — since the email client shares the same browser engine as Firefox.

MFSA 2008-15 is a memory-corruption flaw and could allow an attacker to run arbitrary code. Mozilla has identified JavaScript errors as the source. However, it warned that an attacker could also use large image files to execute an attack.

MFSA 2008-14, meanwhile, permits an attacker to force a browser to run JavaScript code to conduct cross-site scripting and arbitrary code execution.

The two critical vulnerabilities resolved in Firefox's 2.0.0.13 release also affect Thunderbird and Mozilla's email application suite, SeaMonkey. Mozilla has identified two other "high impact" flaws — MFSA 2008-19 and MFSA 2008-18 — which could allow an attacker to create false login prompts and discover a user's identity through SSL certificates.

"It was possible to have a background tab create a borderless XUL [Mozilla's SML user-interface language] pop-up in front of the active tab in the user's browser. This technique could be used by an attacker to spoof form elements, such as a login prompt for a site opened in a different tab, and steal the user's login credentials for that site," Mozilla advised on its known-vulnerabilities web page.