Monday Mozilla released an update to its Firefox Internet browser addressing a critical bug that could allow a hacker to remotely execute arbitrary code on a user's system. The company said in this blog post that the v3.6.2 patch was released ahead of schedule--this may be due to an upcoming hacking contest that targets browser vulnerabilities.
According to the company in this security advisory, researcher Evgeny Legerov of Intevydis reported that the WOFF decoder contains an integer overflow in a font decompression routine. The flaw could result in too small a memory buffer being allocated to store downloadable font. A hacker could use this new-found vulnerability to crash the browser and allow remote code execution.
In addition to the critical update, the patch also addresses several other security and stability issues. "We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said. "If you already have Firefox 3.6 you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting "Check for Updates..." from the Help menu. "
It was also suggested that Firefox 3.0 and 3.5 users upgrade to the latest version.