From the
‘
Time To Update
‘
files:
Mozilla is updating its Firefox web browser to plug holes in its own software and to help prevent users from running other vendors vulnerable software as well.
Firefox 3.5.3 is being released with three critical bug security advisories from Mozilla. There is, “Crashes with evidence of memory corruption” advisory as has been the case with many Firefox release over the past two years.
“Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code,” Mozilla states in its advisory.
There is also an interesting, “TreeColumns dangling pointer vulnerability” that was reported to Mozilla by way of the Tipping Point Zero Day Initiative (ZDI). ZDI pays security researchers for their vulnerabilities and then responsibly discloses them to vendors so they can be fixed.
The tree element flaw deals with a XUL (XML User-interface Language) element that could have been abused to let an attacker potentially run arbitrary code.
The final critical advisory issued by Mozilla is privilege escalation issue in the BrowserFeedWriter element.