Firefox users, get ready for the Update Available pop-up: New versions for the 3.0 and 3.5 browser lines that fix critical security holes are now available.
One serious bug in the “BrowserFeedWriter” could be hit with malicious Javascript code to run an attacker’s command with elevated privileges. A second critical TreeColumns dangling pointer vulnerability, along with a third set of critical issues in the browser engine, could allow a bad guy to crash Firefox and run “arbitrary code,” which might be to install malware, on a vulnerable computer.
Both updates also fix a low-priority flaw in the Location bar that could be used to hide a URL by using certain Unicode characters, and 3.0.14 patches up a moderate hole involving PKCS11 modules that could “affect the cryptographic integrity” of a vulnerable browser.
For more details see the full list of security advisories for Firefox 3.0 or Firefox 3.5. And to pick up either update, click on Help | Check for Updates.