Firefox and Safari Both Get Security Updates

JavaScript flaws were fixed in both Mozilla and Apple's browsers this week, and users are encouraged to download the updates as soon as possible. Firefox 2.0.0.14 addresses security problems in the browser's JavaScript engine which were labeled critical by the company's developers. Some users had reported crashes during JavaScript garbage collection and although no evidence was shown that these were in fact exploitable, Mozilla stressed the fact that this type of crash had been proven to be exploitable in the past.

Meanwhile, the update to Safari fixes four vulnerabilities. Although all four affect Windows users, only half of that group applies to OS X. An interesting Windows-only bug corrected in the update involves a timing issue which allowed a Web page to change the contents of the address bar without actually loading the contents of the corresponding page. This in turn could be used to easily spoof a legitimate site. The second Windows flaw fixed in Safari 3.1.1 is a memory corruption issue in the browser's file downloading mechanism which could lead to application termination or even arbitrary code execution. The other two flaws that were patched affect both the Windows and Mac platforms and involve WebKit's handling of specific URLs as well as its handling of JavaScript regular expressions.

Safari users should download 3.1.1 immediately and it is recommended that Firefox users do the same with version 2.0.0.14.