Several critical stability bugs were identified in the browser engine used in Firefox: some of these crashes showed evidence of memory corruption under certain circumstances, Mozilla explained, and this could have been exploited to run arbitrary code. The problem has been fixed.

 

Another vulnerability, reported via TippingPoint’s Zero Day Initiative program by an anonymous individual, refers to the garbage collection process caused by improper memory management of a set of cloned XUL DOM elements, which resulted in the browser crashing. This vulnerability could have been exploited by an attacker to run an arbitrary code, and has been fixed.

 

Another critical issue refers to several memory safety hazards in PNG libraries used by Mozilla, which could have been used by a malicious website to crash the victim’s browser and execute arbitrary code on their computer. This issue has been fixed.

 

Another vulnerability, which would have allowed a website to use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain has also been fixed, Mozilla said.

 

The Firefox 3.0.7 update, which was released on Wednesday, March 4, 2009, also fixes several stability issues, as well as issues related to accessibility features. In addition to that, the update also includes official releases for three new languages, namely Estonian, Kannada, and Telugu.