The Mozilla Foundation has released updated versions of its popular Firefox (version 1.0.3) and Mozilla (version 1.7.7) web browsers to correct a number of recently discovered security flaws. The updates fix a trio of critical vulnerabilities, two of which have become the subject of proof-of-concept hacker exploits.

A bug [1] that allows hackers to inject JavaScript code in link tags supporting "favicons" and a Mozilla-specific flaw [2] which allows the execution of arbitrary code remotely via the Firefox side bar both pose a severe risk after they were recently coded up in script-kiddie friendly exploits. A third critical security bug - affecting versions of the browsers prior to Firefox 1.0.3 and Mozilla 1.7.7 - involves privilege escalation [3] via DOM (Document Object Model) property overrides.

Firefox 1.0.3 and Mozilla 1.7.7 also addresses six lesser security risks as described by Secunia here [4]. Users of the popular browsers are strongly urged to apply the appropriate update. ®

Related stories

Firefox dusted down with security upgrade [5]
Browser bugs sprout eternal [6]
Drive-by Trojans exploit browser flaws [7]

Links

1. http://www.mozilla.org/security/announce/mfsa2005-37.html
2. http://www.mozilla.org/security/announce/mfsa2005-39.html
3. http://www.mozilla.org/security/announce/mfsa2005-41.html
4. http://secunia.com/advisories/14938
5. http://www.theregister.co.uk/2005/02/25/firefox_update/
6. http://www.channelregister.co.uk/2005/04/06/browser_bugfest/
7. http://www.channelregister.co.uk/2005/03/23/symantec_threat_report/