Mozilla’s Firefox and Thunderbird are among the most liked web browsers and e-mail client respectively for millions of users across the world. The ease of use over other web browsers and fantastic features in the email client is attributed to the popularity of the two. However, if you use Mozilla Firefox and Thunderbird, you will have to do a few security updates published by Mozilla lately. The updates are essential for the legacy version of both Thunderbird and Firefox. The updates would be prompted automatically on your systems.

Speaking about the security fixes of latest Firefox 3.6.7 for Mac, Linux and Windows Operating systems, there were about 14 security bugs that were fixed by Mozilla. Out of the 14 security bugs, eight were termed as critical, two were among the high-level security issues and four were termed as moderate bugs. The bugs created number of problems in these operating systems like: cross origin leakage of script file name in the error message. The bugs accounted to Cross-domain data theft with the help of CSS, vulnerabilities like multiple location bar spoofing, the characters that were mapped to U+FFFD in 8 bit encodings caused the next character to vanish, cross-origin data disclosure using the importScripts and the Web Workers and same-origin bypass with the help of canvas context. The bugs caused remote code execution with malformed PNG image type, nsTreeSelection dangling pointer remote code execution, overflow of the Array index integer, arbitrary execution of code with the help of SJOW and fast native function and remote code execution vulnerability of the Plugin parameter nEnsureCachedAttrParamArrays. Other problems associated with the bugs include error in the NodeIterator, problems in the DOM attribute cloning remote code execution and a few miscellaneous memory safety hazards. The same bugs were fixed for the Firefox 3.5.11 versions but Mozilla is encouraging its users to use the upgraded version i.e. Firefox 3.6.7.

Mozilla issued important security updates for its popular email client Thunderbird too. The security updates were provided for the Thunderbird 3.1.1 and 3.0.6 versions. Out of ten security advisories, few security updates issued by Mozilla were meant to target specially 3.1.1 version. Out of ten security advisories, Mozilla marked five updates critical. The major issues resolved with the security updates include multiple memory safety issues that could lead to corruption of memory and vulnerabilities that can be exploited from remote location to execute arbitrary without the help of the infected system. The two other security updates were related to two-integer overflow bugs in an array class. The two-integer overflow bug in an array class is used for the implementation of the XUL <tree> element and to store the CSS value. Another issue resolved with the security update that allowed an attacker to execute a Javascript with elevated privileges. The critical buffer overflow vulnerability affected both the 3.1 and 3.0 versions of Thunderbird and was resolved with the recent security updates.

Two bugs that were marked of high severity allowed bypassing Same-Origin policies for JavaScript and canvas elements. Three other bugs that were termed as of moderate severity caused data theft or leakage of information.

Mozilla has encouraged its users to upgrade to newer versions of Thunderbird as soon as possible although the Thunderbird 3.0.x versions will receive the security updates from Mozilla for some time.