The Mozilla Foundation has released version 3.6.2 of its open source Firefox web browser. The developers say that, in addition to other holes, the most important vulnerability closed in Firefox 3.6.2 is a critical hole known since February, although details of this hole only became available recently. The new version of Firefox was originally scheduled for release on the 30th of March, but the developers have now brought forward its completion partly because security firm Secunia rated the hole highly critical.
The security hole allows remote attackers to take control of a PC. It became apparent when Russian security firm Intevydis provided their customers with a pertinent Windows exploit. Intevydis sell their knowledge rather than sharing the details of discovered security holes with the vendors of the relevant products. Evgeny Legerov, who discovered the hole, had initially bragged about his find without mentioning any details, but did eventually contact the Mozilla developers.
Firefox versions prior to version 3.6 are not affected by the problem. The hole prompted B?rCERT, a project run by the German Federal Office for Information Technology Security (BSI), to issue a warning which advised users to switch to "alternative browsers" until Firefox 3.6.2 is released. The warning, however, disconcerted some security experts.
The Mozilla developers recommend that all users update to the new version of Firefox as soon as possible. Firefox 3.6.2 is deployed via the web browser's update feature and can be downloaded for Windows, Mac OS X and Linux.
More details about the release can be found in the release notes. Firefox binaries are released under the Mozilla Firefox End-User Software License Agreement and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.