moztrioThe h-online: Following the recent Firefox 16 release, Mozilla has now detailed all of the security fixes in the new version of its open source web browser as well as in the Thunderbird news and email client. Version 2.13 of the SeaMonkey “all-in-one internet application suite” has also received fixes. In addition to adding new features, version 16.0 of Firefox closes a total of 14 security holes, 11 of which are rated as “Critical” by the project.

These critical vulnerabilities include several memory handling and corruption issues, buffer overflows and the possibility of arbitrary code execution through bypassing security checks for the cross-origin properties. Another vulnerability could lead to JavaScript crashing the browser when using an invalid cast with the instance of operator.

According to Mozilla, many of these vulnerabilities could be exploited remotely by an attacker to, for example, execute malicious code on a victim’s system.

Additionally, the desktop Firefox update corrects three high-risk vulnerabilities including a spoofing and script injection bug, and cross-site scripting (XSS) problems. The majority of these same vulnerabilities have been addressed in version 10.0.8 of Mozilla’s “enterprise” Extended Support Releases (ESR) of Firefox ESR and Thunderbird ESR. The developers have also fixed a critical issue in Reader Mode on Firefox for Android.

As they are all based on the same Gecko platform as Firefox, Thunderbird 16 (which has not been released yet) and the 2.13 release of SeaMonkey also close a number of the same security holes. However, Mozilla notes that many of the flaws “cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products”.

Further information about the security holes closed by these updates, including a full list of fixes, can be found in Mozilla’s security advisories. Firefox 16.0 (release notes), Firefox ESR 10.0.8 (release notes), Thunderbird 10.0.8 ESR (release notes) and SeaMonkey 2.13 (release notes) can be downloaded for Windows, Mac OS X and Linux from the project’s site – at the time of writing, Mozilla has yet to release Thunderbird 16. Existing users can upgrade to the new versions, either by waiting for the automated update notification or by manually checking for updates.

Update 12-10-12: Following the discovery of a privacy-related security hole, Mozilla has released version 16.0.1 of both Firefox and Thunderbird to address the problem along with other critical vulnerabilities discovered after the 16.0 releases. The organization advises all users to upgrade as soon as possible. Updates for the ESR versions of Thunderbird and Firefox are currently undergoing quality assurance testing and should be available soon. An update to SeaMonkey, version 2.13.1, is also expected, but has yet to be released at the time of writing.