The critical issues include an exploitable crash when processing a malformed embedded XSLT stylesheet, potential memory corruption when decoding Ogg Vorbis files, XPConnect security checks being bypassed by frame scripts, a use after free error in child nodes from nsDOMAttribute and various memory safety hazards. These vulnerabilities could be exploited remotely by an attacker to, for example, execute arbitrary code on a victim’s system.
Additionally, Firefox 10 closes two “High” impact issues that could lead to information disclosure or an attacker violating the HTML5 frame navigation policy by replacing a sub-frame for phishing attacks. A moderate severity bug when exporting a user’s Firefox Sync key to a “Firefox Recovery Key.html” file that caused it to be saved with incorrect permissions was also fixed.
Based on the same Mozilla Gecko platform as Firefox 10, version 2.7 of the SeaMonkey “all-in-one internet application suite” fixes all of the same vulnerabilities, while Thunderbird 10 addresses all but one as it is not affected by the moderate incorrect permissions bug because it does not use Firefox Sync.
An update to the 3.6.x legacy branch of Firefox, version 3.6.23, fixes four of the above critical issues and a low impact bug related to an overly permissive IPv6 literal syntax which was previously repaired in Firefox 7.0, Thunderbird 7.0 and SeaMonkey 2.4. The developers note that Firefox 3.6.26 “now enforces RFC 3986 IPv6 literal syntax”, adding that the change “may break links written using the non-standard Firefox-only forms that were previously accepted”. The 3.1.18 update to the 3.1.x branch of Thunderbird also corrects these issues.
All users are advised to upgrade to the current stable versions.