Mozilla has fixed eight vulnerabilities in Firefox that could lead to cross-site scripting attacks and the execution of arbitrary code.
The open-source browser asked users running Firefox 2.0 to upgrade to version 220.127.116.11 or 18.104.22.168 if they are still using Firefox 1.5. In addition, Thunderbird e-mail client users are urged to upgrade to version 22.214.171.124 and version 1.0.7 for those running SeaMonkey, an internet suite.
Mozilla ranked the threat level of five of the flaws "critical," two "high" and one "low." Vulnerability tracking firm Secunia ranked the package of vulnerabilities "highly critical."
Window Snyder, Mozilla's security chief, told SCMagazine.com today that discovering holes in Firefox offerings should not be viewed as a negative.
"It's definitely a good thing for us to identify bugs, and when we're fixing more bugs, the product is more secure," she said.
Researchers noted that Mozilla failed to fix a password manager vulnerability in Firefox. The bug, reported Nov. 21 by Chapin Information Services, exposes saved usernames and passwords to attackers through a vulnerability being called a "reverse cross-site request."
"The flaw could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added," according to Chapin.
Snyder said Mozilla is planning to plug the hole in its next version release, scheduled to appear in six to eight weeks.
"We want to make sure we're addressing it the right way," she said. "The way we want to fix it requires more of an investment."
The issue has been fixed in MySpace, where it was first reported, Snyder said.