Mozilla Corp. late Thursday updated its Firefox browser to patch a mega-batch of 24 vulnerabilities, the bulk of them tagged "critical."
Just days after rival Microsoft fixed 10 bugs in its Internet Explorer, Mozilla unveiled Firefox 184.108.40.206, which included 7 patches, 5 of them critical. It also unveiled 11 new patches for the older Firefox 1.5, 15 for the even older Firefox 1.0x line in an update numbered 1.0.8, and 19 in the Sea Monkey browser suite, the replacement for the now-defunct Mozilla suite.
Danish vulnerability tracker Secunia tagged the overall updates -- to Firefox 220.127.116.11 and 1.08, and Sea Monkey 1.0.1 -- as "Highly critical," its second-from-the-top ranking. That ranking was the same as Secunia awarded Tuesday's 10-bug patch for IE.
Mozilla also said it had fixed a slew of bugs that could crash the browser, some of which could conceivably be used by attackers to hijack computers. The for-profit arm of the Mozilla Foundation, however, wasn't clear on the details.
"Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code," one of the 18 security advisories read.
Bugs come from flaws in the browsers' parsing of HTML -- one sequence of HTML tags can crash the application and leave it open to attack -- and its implementation of CSS (Cascading Style Sheets), which can lead to a buffer overflow and then a complete computer compromise.
Of the 18 advisories that included the 24 fixes, 11 are marked "critical" by Mozilla, 4 as "high," 2 "moderate," and 1 "low." Exploiting them could, said Secunia, result in denial-of-service (DoS) attacks, browser spoofing, cross-site scripting, unintentional disclosure of confidential information.
It made a pitch to users of older editions of Firefox to move up to the 1.5 family.
"We strongly recommend that all users upgrade to this latest release," said Mozilla of Firefox 18.104.22.168. Although it also offered a new edition of the Firefox 1.0.x line -- Firefox 1.0.8 -- it pushed those users to upgrade to the 1.5 family.
"Mozilla is also strongly recommending that Firefox 1.0 users upgrade to this latest release of Firefox 1.5 in order to take advantage of significant security and stability improvements," it said. "Firefox 1.5 includes an automated update mechanism that ensures users are always up to date with the very latest updates."
Mozilla releases Firefox security updates irregularly -- the last time was February -- but in a separate announcement, it said it planned to move to an every-six-to-eight-week schedule. However, it didn't specify a date, as does Microsoft with its every-second-Tuesday-of-the-month patch day.
Also included in Thursdays updates was Mozilla's first Mac Firefox that runs natively on Intel-basediMac, Mac mini, and MacBook Pro computers. Mac owners can now download either a version in so-called "universal binaries," meaning the program runs on both PowerPC- and Intel-powered hardware, or in a PowerPC-only edition.
Previously, Firefox ran slower on Intel Macs because the code had to run through the Mac OS X PowerPC emulator, dubbed "Rosetta."
The updated editions of Firefox can be downloaded from the Mozilla Web site, although users running 1.5.x will receive automatic notices over the next several days.