Mozilla Firefox Multiple Vulnerabilities Fixed in 3.0.12 and 3.5.1

Description

Mozilla Firefox before 3.0.12 and 3.5.1 are affected by multiple vulnerabilities:

• Crashes with evidence of memory corruption (MFSA 2009-34). Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
• Crash and remote code execution during Flash player unloading (MFSA 2009-35). When a page contains a Flash object which presents a slow script dialog, and the page is navigated while the dialog is still visible to the user, the Flash plugin is unloaded resulting in a crash due to a call to the deleted object. This crash could potentially be used by an attacker to run arbitrary code on a victim's computer.
• Heap/integer overflows in font glyph rendering libraries (MFSA 2009-36). A series of heap and integer overflow vulnerabilities have been reported in multiple font glyph rendering libraries. On Linux platforms libpango was susceptible to the vulnerabilities while on OS X CoreGraphics was similarly vulnerable. An attacker could trigger these overflows by constructing a very large text run for the browser to display. Such an overflow can result in a crash which the attacker could potentially use to run arbitrary code on a victim's computer.
• Crash and remote code execution using watch and __defineSetter__ on SVG element (MFSA 2009-37). A crash has been reported involving a SVG element on which a watch function and __defineSetter__ function have been set for a particular property. The crash showed evidence of memory corruption and could potentially be used by an attacker to run arbitrary code on a victim's computer.
• setTimeout loses XPCNativeWrappers (MFSA 2009-39). setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this as an argument, the this object will lose its wrapper and could be unsafely accessed by chrome code. An attacker could use such vulnerable code to run arbitrary JavaScript with chrome privileges.
• Multiple cross origin wrapper bypasses (MFSA 2009-40). A series of vulnerabilities have been reported in which objects that normally receive a XPCCrossOriginWrapper are constructed without the wrapper. This can lead to cases where JavaScript from one website may unsafely access properties of such an object which had been set by a different website. A malicious website could use this vulnerability to launch a XSS attack and run arbitrary JavaScript within the context of another site.