Mozilla coughed its latest Firefox update this week and patched ten flaws – five of which were critical vulnerabilities – in the latest version of its browser.

The firm said it strongly recommended that Firefox fanciers upgrade to version 2.0.0.13 because of the number of security fixes built into the latest update.

Critical flaws that have now been patched (http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.13) in the Internet Explorer rival include a brace of exploits that could crash Firefox or its JavaScript engine and cause an arbitrary code execution.

The update, which applies to Windows, Mac and Linux-based machines, was pushed out automatically by Mozilla earlier this week.

Other vulnerabilities that have now been patched include a privacy issue with SSL client authentication, an HTTP referrer spoofing bug and a fix for a Java socket connection to any local port via LiveConnect.

However, the firm has not built the fixes into the latest version of its mail client Thunderbird, even though it shares five of the flaws. Mozilla’s David Ascher said on his blog (http://ascher.ca/blog/2008/03/16/progress-update/) last week that patches will not be available for “several weeks”.

In the meantime the firm advised the following: "Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail.

"This is not the default setting, and we strongly discourage users from running JavaScript in mail." ®

Related stories

Mozilla Screaming Monkey offers freedom from IE 'millstone' (29 May 2008)
http://www.channelregister.co.uk/2008/05/29/screaming_monkey_ie/
Firefox developers tinker with new security protections (finally) (20 May 2008)
http://www.channelregister.co.uk/2008/05/20/new_firefox_security_protections/
First public Firefox 3 candidate shoots out the door (19 May 2008)
http://www.channelregister.co.uk/2008/05/19/firefox_3_candidate_release/
Firefox language pack provides adware back-door (8 May 2008)
http://www.channelregister.co.uk/2008/05/08/firefox_component_compromise/
Firefox and Safari updates tackle alternative browser bugs (17 April 2008)
http://www.channelregister.co.uk/2008/04/17/alt_browser_updates/
The trinity of RIA security explained (8 April 2008)
http://www.channelregister.co.uk/2008/04/08/ria_security/
Final beta of Firefox 3 available now (2 April 2008)
http://www.channelregister.co.uk/2008/04/02/firefox3_beta5_release/
Cross industry AJAX group reaches IE 8 'consensus' (28 March 2008)
http://www.channelregister.co.uk/2008/03/28/openajax_alliance_internet_explorer_eight/
Mozilla CEO blasts Apple for putting security of the internet at risk (24 March 2008)
http://www.channelregister.co.uk/2008/03/24/mozilla_and_the_apple_itunes_update/
Mozilla reaches stage 4 of Firefox 3 beta endurance test (11 March 2008)
http://www.channelregister.co.uk/2008/03/11/mozilla_firefox3_beta4/
Mozilla opens the doors on Messaging subsidiary (20 February 2008)
http://www.channelregister.co.uk/2008/02/20/mozilla_messaging/
Mozilla 2 promises big change (14 February 2008)
http://www.channelregister.co.uk/2008/02/14/mozilla_two/
Firefox 3 beta is live (13 February 2008)
http://www.channelregister.co.uk/2008/02/13/firefox_3_beta/