Mozilla has realesaded updated to both Firefox 3 and 3.5 yesterday, fixing several security and stability issues.

A full list of changes can be found in the Firefox 3.0.13 and Firefox 3.5.2 release notes.

Users of either browser should have the updated pushed out to them, or you can manually get the update by going to the help menu and selecting check for updates.

Google has pushed out Chrome 2.0.172.37 to users of the browser, patching two security holes.

The security holes would allow an attacker to run arbitrary code in the Google Chrome sandbox and even with the privileges of the logged on user.

Other changes include:

• Fix: Solving captcha images broken at orkut.com. (Issue15569)
• Make forward/backward navigation work even when redirection is involved. (Issue 9663, issue 10531)
• Fix: Daylight savings time not recognized for some CET locales. (Issue 12579)
• Fix a browser crash on closing a URL request. (Issue 8942)
• Update the V8 Javascript engine to version 1.1.10.14 to fix issues with regular expressions.
• Update Gears to the latest release, 0.5.25.0.

The update will be pushed out automatically to Chrome users.

For those that are still using Firefox 3, Mozilla has updated the browser to close 9 security holes, 4 of which were rated critical.

A full list of changes can be found in the release notes, and the update is recommended for all Firefox 3 users.

The update will be pushed out to existing Firefox 3 users in the next 24-48 hours or can be updated from the Help menu.

Mozilla has released Firefox 3.5.1 which fix several security and stability issues.

One security vulnerability is rated as critical, and could allow a remote attacker to gain control of a users PC.

Firefox 3.5.1 can be downloaded from the Firefox website, and will automatically be pushed out to existing Firefox 3.5 users. A full list of changes can be found in the release notes.

Security firm Secunia are warning of a zero-day securty exploit which has been discovered in Firefox 3.5 allowing a milicious site to execute arbituary code.

“The vulnerability is caused due to an error when processing JavaScript code handling e.g. ‘font’ HTML tags and can be exploited to cause a memory corruption” said a spokesperson from Secunia.

No word from Mozilla on a fix yet, but Firefox 3.5.1 will likely be released in the coming days to address the issue.

Apple has released Safari 4.0.2 for both Mac and Windows, which is available through either software update or through the Safari website.

The update addresses two security vulnerabilities and improves the stability of the Nitro JavaScript engine used by Safari and are described below:

• An issue in WebKit’s handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
• A memory corruption issue exists in WebKit’s handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.

The update is recommended for all Safari users.

Microsoft has announced that a serious exploit in Microsoft’s Video ActiveX Control can allow hijackers complete access to a remote system.

The zero day exploit affects Internet Explorer 6 and 7 users when they visit an infected web site if they are using either Windows XP or Windows 2003.

Windows Vista, Windows 7 and Internet Explorer 8 users are safe for now. No patch is currently available but Microsoft has posted a workaround for the exploit.

A patch is in the works, but no details on when it will be released have been announced.

Links:

• Enable workaround
• Disable workaround

Along with Apple’s release of 10.5.7 yesterday, Apple has also quietly updated Safari 4 and 3 with security patches.

The update for Safari repaired input validation and memory corruption issues which could have allowed hackers to plant malicious code on websites.

The update was included for Mac users who have already installed the 10.5.7 update, or an updated version of the browser can be downloaded and installed manually from the Apple Safari website.

Less than a week after Mozilla released Firefox 3.0.9, Firefox 3.0.10 is now available.

The latest release fixes a major stability problem, along with two critical security issues.

A full list of changes can be found in the release notes.

Existing users will have the update pushed out to them, or it can be downloaded directly from the Firefox website.

Google has released a new version of Chrome over night patching a high-severity security hole.

The flaw, discovered on April 8 by IBM, allowed for cross-site scripting attacks through the use of malicious JavaScript on a website.

Google Chrome program manager, Mark Larson, describes how the flaw could work. “An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.”

“If a user has Google Chrome installed, visiting an attacker-controlled Web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice. Such an attack only works if Chrome is not already running” wrote Larson.

The patch will be pushed out automatically to current Chrome users, and will take the browser to version 1.0.154.59. New users can download the latest Google Chrome directly.