The update, Firefox 3.6.13 and 3.5.16, fixes 11 critical flaws that could result in a remote attacker installing malicious software on victim machines, according to Mozilla's security advisory. Of the remaining bugs, one was rated “high” in severity, and another “moderate.”
In all, the vulnerabilities could allow an attacker to execute arbitrary code, operate with elevated privileges, or spoof the location bar, according to an advisory posted Friday by the US-CERT.
One of the patches fixes a critical arbitrary code execution bug in Firebug, a popular Firefox website debugging and editing add-on. The flaw was originally fixed in late March and, at the time, Mozilla said it did not affect Firefox 3.6.
The same Mozilla researcher who originally reported the flaw, however, discovered that the initial patch could be circumvented, permitting the execution of arbitrary JavaScript, according to Mozilla's security advisory.
The latest patch addresses both Firefox 3.5 and 3.6.
Other vulnerabilities fixed in the update include several memory safety, buffer and integer overflow, location bar SSL spoofing and cross-site scripting bugs.
Some of the flaws also affect Mozilla's SeaMonkey application suite and the Thunderbird email client. These were fixed in Thunderbird 3.1.7 and 3.0.11 and SeaMonkey 2.0.11.