According to Mozilla, the critical vulnerability involved memory corruption problem, allowing attackers to cause run arbitrary code. The organization advises users to disable JavaScript until a the fix is installed.

The update pack also comes with two fixes for  high-risk flaws, both involving  involve same-origin violation security bugs. The first exploit is based on loading an Adobe Flash file via the view-source: scheme. Apparently,  the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities.

First, the Flash file can bypass restrictions imposed by the crossdomain.xml mechanism and initiate HTTP requests to arbitrary third-party sites, thus enabling attackers to perform CSRF attack. Second, the Flash file can read and write Local Shared Objects on a user’s machine and would enable attackers to place cookie-like objects on a user’s computer and track them across multiple sites.

The other high-risk flaw enables users to create a document whose URI does not match the document’s principal using XMLHttpRequest. This type of mismatch leads to incorrect results in principal-based security checks and  could be used to execute arbitrary JavaScript within the context of another site.

Users will automatically receive the new update in the next 48 hours.