Mozilla has released an update to its Firefox browser, fixing a widely publicized flaw in the open-source software. The 18.104.22.168 update fixes a handful of memory corruption flaws that crash Firefox and a cross-site request forgery flaw that could give attackers a way to get unauthorized access to certain Web sites. But the most anticipated bug fix in this release addresses a problem in the way Firefox processes files that are compressed using the .jar (Java Archive) format.
Firefox does not properly check .jar files, giving attackers a way to launch Web-based cross-site-scripting attacks against Firefox users. The bug was first reported in February, but it gained widespread attention in early November when security researchers showed how it could be used in cross-site scripting attacks to run unauthorized code on the victim's PC. The memory corruption bugs could also have led to more serious problems, Mozilla said in its note on the bugs. "We presume that with enough effort, at least some of these could be exploited to run arbitrary code," the note reads.