Firefox users, update your browsers.
Mozilla has released its seventh update this year, Firefox 184.108.40.206, which
fixes four critical security issues in the popular open source browser.
Regular Expression Heap Corruption.
The corruption could lead to a heap
buffer overflow, which could then be used by an attacker to run arbitrary code.
A critical concurrency-related vulnerability is described by Mozilla Foundation Security Advisory 2006-59, which could trigger crashes.
“We have seen no demonstration that
these crashes could be reliably exploited, but they do show evidence of
memory corruption so we presume they could be,” according to the Mozilla advisory.
Another critical security flaw fixed in Firefox 220.127.116.11 also deals with
memory crash conditions that could lead to arbitrary code execution.
Mozilla Foundation Security Advisory 2006-64 actually deals with a number of crash conditions grouped together for the advisory under the title, “Crashes with evidence of memory corruption.”
Mozilla’s advisory notes that as part of Firefox 18.104.22.168, several bugs
were fixed to improve stability.
“Some of these were crashes that showed evidence of memory corruption, and
we presume that at least some of these could be exploited to run arbitrary
code with enough effort.”
The 22.214.171.124 release comes about a week later than it had first been
As recently as Aug. 30, Mozilla developers had pegged
Sept. 7 as the release date for the seventh update to the Firefox
1.5.x browser this year.
The delay was the result of Mozilla developers issuing a
record-breaking number of release candidates for testing.
Last Friday, Mozilla developer Jay Patel wrote in a posting that, “We had to
take a few fixes late last week and earlier this week, which has pushed out
the release schedule for 126.96.36.199.”
Those late fixes pushed the expected release out to Tuesday Sept. 12.
On Monday Patel revised the schedule again.
“We had to respin for another security bug over the weekend and are now
at rc6 (a new record!],” Patel wrote.