Firefox Update Brings Security Fixes

The Mozilla Foundation has released what it calls a "security update" to its flagship Firefox Web browser, which resolves three critical vulnerabilities. The 1.0.4 update comes just three days after two exploitable flaws were uncovered by security firm Secunia that were deemed "extremely critical."

The two flaws reported Monday were given Secunia's highest rating due to exploit code that was already in the wild. The first vulnerability stemmed from a bug that enables IFRAME JavaScript URLs to be executed in the context of another URL in Firefox's history list.

The second flaw involved the update mechanism used by Mozilla. An attacker could use the first Firefox vulnerability to run arbitrary code using the second vulnerability, potentially gaining control of a user's system, Secunia said in its advisory.

Firefox 1.0.4 also fixes another issue related to a flaw that was patched in version 1.0.3. The issue enabled JavaScript and Script objects to be run with potentially higher privileges than when they were created.

The Mozilla Suite was updated to version 1.7.8 in conjunction with the new Firefox release. All users are urged to download the latest update in order.

In accordance with its security practices, bug and exploit details will be withheld until May 18.