Mozilla is out this week with its largest patch update yet for the Firefox 3.6 browser, closing the door on 14 reported security vulnerabilities, eight of which Mozilla rates as critical issues.

The new Firefox 3.6.7 release comes just ahead of the annual Black Hat security conference in Las Vegas. Last year, Mozilla rushed out patches after the event to fix security issues that had been identified or discussed by security researchers there.

It's unclear whether any of the new fixes in Firefox 3.6.7 are meant to be potentially proactive. However, Mozilla is actually playing catch-up when it comes to at least one threat that other browser vendors have already addressed.


With Firefox 3.6.7, Mozilla is providing users with a PNG image fix for a flaw that had first been patched by Google's Chrome earlier this month.

"A malformed PNG file could be created [that] would cause libpng to incorrectly report the size of the image to downstream consumers," Mozilla's advisory states. "When the dimensions of such images are underreported, the Mozilla code responsible for displaying the graphic will allocate too small a memory buffer to contain the image data and will wind up writing data past the end of the buffer. This could result in the execution of attacker-controlled memory."

Mozilla credited the vulnerability report to security researcher Aki Helin, who had warned about the flaw as early as June 7, when he posted the issue to Google's issues-tracking site, Chromium. While Chromium serves as a means to alert Chrome's developers to potential vulnerabilities -- Google later credited Helin with the discovery of the flaw as it existed in its own browser -- he also noted at the time that Firefox was at risk, as well.

Among the other critical fixes delivered in the new Firefox 3.6.7 release are what Mozilla's security advisory identifies only as "memory safety bugs" that an attacker could potentially exploit to run arbitrary code.

Additionally, Mozilla credits security researchers from HP TippingPoint's Zero-Day Initiative (ZDI) with the discovery of a trio of critical vulnerabilities that are now fixed in Firefox 3.6.7. Among them is a critical, remote code execution vulnerability in the DOM (Document Object Model) , a use-after-free error with Mozilla's nodeiterator, and a plugin parameter remote code execution issue.

The Firefox 3.6.7 release also provides fixes for a pair of cross-origin data leakage issues that could have led to unintended information disclosure, according to Mozilla. There is also a fix for a cross-domain data theft issue by way of CSS .

"Google security researcher Chris Evans reported that data can be read across domains by injecting bogus CSS selectors into a target site and then retrieving the data using JavaScript APIs," Mozilla stated in its advisory.

The Firefox 3.6.7 update also addresses multiple location bar spoofing vulnerabilities, two of which Google security researcher Michal Zalewski receives credit for discovering.

"The first method works by opening a new window containing a resource that responds with an HTTP 204 (no content) and then using the reference to the new window to insert HTML content into the blank document," Mozilla's advisory states. "The second location bar spoofing method does not require that the resource opened in a new window respond with 204, as long as the opener calls window.stop() before the document is loaded. In either case, a user could be mislead as to the correct location of the document they are currently viewing."

The Firefox 3.6.7 update is Mozilla's first security patch update to the open source browser since Mozilla added out-of-process plugins with the 3.6.4 release. There was no 3.6.5 release and the Firefox 3.6.6 release was just a configuration fix for the out-of-process plugins feature.

Looking ahead, Mozilla developers are currently working on the Firefox 4 browser, with a second beta release expected by the end of the week.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.