RealTime IT News

Firefox Hits Seventh Heaven

Firefox users, update your browsers.

Mozilla has released its seventh update this year, Firefox 1.5.0.7, which fixes four critical security issues in the popular open source browser.

Among the four critical issues tagged by Mozilla in the update is Mozilla Foundation Security Advisory 2006-57, which describes a JavaScript Regular Expression Heap Corruption.

The corruption could lead to a heap buffer overflow, which could then be used by an attacker to run arbitrary code.

A critical concurrency-related vulnerability is described by Mozilla Foundation Security Advisory 2006-59, which could trigger crashes.

"We have seen no demonstration that these crashes could be reliably exploited, but they do show evidence of memory corruption so we presume they could be," according to the Mozilla advisory.

Another critical security flaw fixed in Firefox 1.5.0.7 also deals with memory crash conditions that could lead to arbitrary code execution.

Mozilla Foundation Security Advisory 2006-64 actually deals with a number of crash conditions grouped together for the advisory under the title, "Crashes with evidence of memory corruption."

Mozilla's advisory notes that as part of Firefox 1.5.0.7, several bugs were fixed to improve stability.

"Some of these were crashes that showed evidence of memory corruption, and we presume that at least some of these could be exploited to run arbitrary code with enough effort."

The 1.5.0.7 release comes about a week later than it had first been expected.

As recently as Aug. 30, Mozilla developers had pegged Sept. 7 as the release date for the seventh update to the Firefox 1.5.x browser this year.

The delay was the result of Mozilla developers issuing a record-breaking number of release candidates for testing.

Last Friday, Mozilla developer Jay Patel wrote in a posting that, "We had to take a few fixes late last week and earlier this week, which has pushed out the release schedule for 1.5.0.7."

Those late fixes pushed the expected release out to Tuesday Sept. 12.

On Monday Patel revised the schedule again.

"We had to respin for another security bug over the weekend and are now at rc6 (a new record!]," Patel wrote.