The Mozilla Project has issued a warning for a series of “highly critical” security holes in three of its core projects, including its flagship Firefox Web browser and the Thunderbird e-mail client.
The vulnerabilities, which also affect the Mozilla browser, could potentially exploited by malicious people to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user’s system.
The news comes just days after the open-source project issued a preview release of Firefox 1.0, which includes an RSS reader that displays “live bookmarks, a new “Find” tool and an updated plug-in installer.
An advisory released by Secunia warned that the flaws carry a “highly critical” rating.
Secunia listed seven vulnerabilities that affect the Mozilla products, including various boundary errors that can be exploited to cause heap-based buffer overflows when a specially crafted e-mail is forwarded or opened.
A successful attack could lead to the execution of malicious code to completely hijack a vulnerable machine.
Another flaw exists where insufficient restrictions on script generated events on text fields can be exploited to read and write content from and to the clipboard.
Secunia also warned of a problem with overly long links containing a non-ASCII characters that can be exploited via a malicious Web site or e-mail to cause a buffer overflow.
“An integer overflows when parsing and displaying BMP files can potentially be exploited to execute arbitrary code by supplying an overly wide malicious BMP image via a malicious website or in an e-mail,” the research firm said.