Mozilla patched four critical memory safety bugs in the Firefox browser engine. “Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code”, Mozilla said in a security advisory.
Another critical bug patched in Firefox 6 allowed unsigned JavaScript code to run a script inside a signed JAR file with the permissions and identity of that file.
Mozilla also fixed a critical flaw in the WebGL shader program, which “could cause a buffer overrun and crash in a strong class used to store the shader source code.” In addition, the company fixed a potentially exploitable heap overflow in the ANGLE library used by WebGL implementation and a “dangling pointer vulnerability” in a SVG text manipulation routine.
Also fixed in Firefox 6 were two high-risk flaws: credential leakage using Content Security Policy reports and cross-origin data theft using canvas and Windows D2D.
Firefox 6 added domain highlighting in the URL to make phishing attempts more apparent. "The Awesome Bar (URL bar) highlights a Website’s domain name and the identity block is more prominent to help quickly identify where you are on the Web," Mozilla said in a blog post.