Mozilla has released Firefox 6 through its automatic update mechanism and the new version of the group’s popular browser includes fixes for 10 vulnerabilities, several of them critical flaws that could allow remote code execution.
The new version of Firefox comes just a two months after Mozilla released Firefox 5, which included some security upgrades such as Do Not Track functionality. Firefox 6, however, is mostly a cosmetic and functional upgrade, that also includes a small truckload of security fixes. The most serious of the vulnerabilities are four memory-safety bugs that Mozilla said could allow a remote attacker to run code on user’s machines.
“ Mozilla identified and fixed several
memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other
Mozilla-based products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code,” Mozilla said in the security advisory for Firefox 6.
All four of the memory-safety vulnerabilities are rated critical, as are four other flaws, including:
- Unsigned scripts being able to call a script inside a signed JAR
- A string crash using WebGL shaders
- A heap overflow in ANGLE library
- A crash in SVGTextElement.getCharNumAtPosition()
There also are two other vulnerabilities fixed in Firefox 6 that are rated as high risks. Current Firefox users can get version 6 through the automatic update mechanism in the browser.