Mozilla patches critical bugs in new Firefox update

Mozilla has issued a security update Firefox to address five bugs in older versions of the browser, including three labelled as critical.

Users of Firefox 3.0.x and 3.5.x are being advised to upgrade to versions 3.0.18 and 3.5.8 respectively to protect against the vulnerabilities, three of which have been labelled critical and two moderate in Mozilla's four-step scoring system.

The latest version of the browser, Firefox 3.6, already had the patches on board when it launched last month.

The critical updates relate to instabilities in Firefox's Gecko rendering engine, a flaw in the HTML parser and a vulnerability in how Firefox uses web workers to move JavaScript tasks to the background.

According to Mozilla, its crash reports show that all three of the holes could potentially be used by hackers to inject malware onto the host computer.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," the advisory accompanying the update reads.

The two remaining flaws are less serious, potentially allowing an attacker to execute malicious JavaScript code.

The remaining two moderate bugs address holes that could be exploited in cross-site scripting attacks in JavaScript. Mozilla revealed that both had been reported by Microsoft just one day after the computing giant reported a critical flaw in Adobe's Reader and Acrobat software.

The Firefox 3.0.18 and 3.5.8 security updates are available for Windows, Mac OS X and Linux users, and can be downloaded from Mozilla or using Firefox's update system.