The Mozilla Foundation has released updated versions of its popular Firefox (version 1.0.3) and Mozilla (version 1.7.7) web browsers to correct a number of recently discovered security flaws. The updates fix a trio of critical vulnerabilities, two of which have become the subject of proof-of-concept hacker exploits.

A bug (http://www.mozilla.org/security/announce/mfsa2005-37.html) that allows hackers to inject JavaScript code in link tags supporting "favicons" and a Mozilla-specific flaw (http://www.mozilla.org/security/announce/mfsa2005-39.html) which allows the execution of arbitrary code remotely via the Firefox side bar both pose a severe risk after they were recently coded up in script-kiddie friendly exploits. A third critical security bug - affecting versions of the browsers prior to Firefox 1.0.3 and Mozilla 1.7.7 - involves privilege escalation (http://www.mozilla.org/security/announce/mfsa2005-41.html) via DOM (Document Object Model) property overrides.

Firefox 1.0.3 and Mozilla 1.7.7 also addresses six lesser security risks as described by Secunia here (http://secunia.com/advisories/14938). Users of the popular browsers are strongly urged to apply the appropriate update. ®

Related stories

Firefox dusted down with security upgrade (http://www.theregister.co.uk/2005/02/25/firefox_update/)
Browser bugs sprout eternal (http://www.channelregister.co.uk/2005/04/06/browser_bugfest/)
Drive-by Trojans exploit browser flaws (http://www.channelregister.co.uk/2005/03/23/symantec_threat_report/)