The Mozilla Foundation has warned of a slew of critical vulnerabilities to its popular Firefox web browser and related products. The most serious of the flaws create a means for hackers to inject malware onto vulnerable systems. Other flaws would make it easier to construct phishing attacks or swipe sensitive information from PCs running Firefox.

Mozilla products fail to properly enforce security restrictions in JavaScript and are subject to memory corruption via maliciously constructed HTML tags. There's also problems with how the products handle Cascading Style Sheets which leave open security holes that might allow the execution of arbitrary code on a vulnerable system. US CERT has produced a useful overview of the vulnerabilities, the most extensive ever to affect Mozilla products, here. Secunia documents the 21 vulns here.

Users are advised to upgrade to Mozilla Firefox 1.5.0.2, Mozilla Thunderbird 1.5.0.2, or SeaMonkey 1.0.1 to guard against attack. A security update to the Thunderbird email client (version 1.5.0.2) is due to be released on Tuesday. ®

Related stories

• Mozilla creates start-up to recruit email developers (18 September 2007)
• Mozilla brainstorms Firefox 3.0 (16 October 2006)
• Mozilla flaws more joke than jeopardy (5 October 2006)
• Mozilla delays Firefox 2.0 release (17 August 2006)
• Firefox users need to update (again) (27 July 2006)
• Firefox 2.0 ready to test (13 July 2006)
• Firefox vuln fails to imperil World Cup (5 June 2006)
• Infosec blog All my personal details for chocolate? Go on then (18 April 2006)
• Patches released for zero-day IE threat (29 March 2006)
• 'Firefox flaw wrecked my relationship' (23 March 2006)
• Mozilla Firefox 1.5 has landed (30 November 2005)
• Browser developers team up to thwart hackers (23 November 2005)
• Mozilla suffers growing pains (22 September 2005)
• Firefox and Mac security sanctuaries 'under attack' (19 September 2005)
• Firefox blighted by unpatched bug (9 September 2005)