Security vulnerabilities in the Firefox browser and Thunderbird mail client
are scary. Both tools are widely used, exposed to arbitrary data from the
Internet, and used with important (and confidential) information. A
widespread exploit has the potential to affect large numbers of people in
highly unfortunate ways. So, whenever the Mozilla Project fixes a set of
vulnerabilities, it's worth paying attention.
The recently released Firefox
220.127.116.11 addresses a
fairly long list of vulnerabilities. Some of the most significant of
those (the ones rated "critical") are:
There are also several vulnerabilities which are not considered to be quite
as frightening, but which are still in need of fixing.
18.104.22.168 is also out, with its
own vulnerability list. Only one of these is deemed critical: a double-free
error on an invalid VCard which appears to be exploitable. It is worth
noting, however, that Thunderbird uses much of the Firefox code base for
rendering HTML, so it can also suffer from Firefox's vulnerabilities. So,
mail (an especially bad idea which is not the default behavior), most of
the Firefox vulnerabilities listed above are also exploitable in
There is another common theme found in all of the Firefox vulnerabilities:
executable content seems to be a hard thing to get right; it is an ongoing
source of vulnerabilities in almost every context where it can be found.
entirely. It is unfortunate that so many web sites are inaccessible to
enable a problematic feature they might prefer to do without.
(See the LWN vulnerability
entry for distributor updates addressing these problems. As of this
writing, the list of updates is discouragingly short, with only Slackware
and rPath getting fixed out within the first couple of days after
to post comments)