Hot on the heels of Firefox browser’s previous update, Mozilla has released version 6 as part of the team’s rapid upgrade cycle. A total of ten security bugs have been patched, of which eight have a critical rating and two, a high rating, according to the Mozilla advisory. The upgrade fixes several issues including several memory safety bugs, flaws related to unsigned scripts, heap overflows and issues with WebGL shaders, among others.
Buffer overrun errors have been fixed in the WebGL rendering engine, which could cause a crash in the string class used to store the shader source code for overly long shader programs. Other fixes to WebGL include addressal of heap overflows in the ANGLE library used by Mozilla’s WebGL implementation.
Of the ten security bugs, two carry a high rating. These bugs are known to cause credential leakage using content security policy reports and cross-origin data theft. Of these, the first could lead to the incorrect resolution of hosts. The second bug could lead to image data from a domain read by another domain when using canvas and Windows D2D hardware acceleration.
A complete run-down of the security fixes can be found in this Mozilla Firefox advisory. The Mozilla team has also released security fixes for Firefox version 3.6, updating it to 3.6.20, the details of which are addressed in a separate security advisory.
Firefox 6 is available as an incremental update through a built in update engine for existing users of versions 4 and 5. It is also available as a stand-alone installer from the Mozilla website.