The Mozilla Foundation have released today a new Firefox 3.0.x and 2.0.0.xx releases which addresses two critical security vulnerabilities.

• MFSA 2008-35 - comman-line URLs launch multiple tabs when Firefox not running
• MFSA 2008-34 - Remote code execution by overflowing CSS reference counter

The interesting thing to note about MFSA 2008-34 is that it also affects Thunderbird if Javascript is enabled in mail reader Normally by default this is not the case and users are discouraged from enabling this feature. MFSA 2008-34 was reported as part of the TippingPoint we pay you for you vulnerabilities initiativem. This vulnerability is caused by an insufficiently sized buffer being used as a reference counter for CSS objects.

MFSA 2008-35 was reported by security researcher Billy Rios, it was reported that if Firefox was not already running passing it a command line URI with the pipe ('|') symbols in it will open multiple tabs. This URI splitting technique could be used to launch chrome:i URIs from the command line and is a partial bypass of a previously fixed issue. 

Well it is highly recommended that all Firefox users get the latest versions installed. If you are still using Firefox 2.0.0 series it is recommended that you consider upgrading to Firefox 3, mainly as come December the Mozilla Foundation will cease support of the 2.0.0 branch of Firefox and future issues may go without fixes.

Add this page to your favorite Social Bookmarking websites