Firefox update plugs cookie flaw

Mozilla has released updates to its Firefox browser and Thunderbird email client for Mac, Linux and Windows users.

Mozilla said in a post on its development site: "Due to the security fixes, we strongly recommend that all Firefox users upgrade to these latest releases."

Mike Schroepfer, vice president of engineering at Mozilla, said in a statement: "This update resolves the location.hostname vulnerability and other security and stability issues."

The location.hostname vulnerability Schroepfer referred to was the Firefox cookie flaw discovered by Michal Zalewski, an "ethical hacker" from Poland.

In mid-February, Zalewski posted his proof-of-concept on a mailing list for other security experts. His note said a flaw in Firefox could allow hackers to set or change cookies for their own purposes. A fix for the high-impact flaw was made by Firefox developers in recent weeks.

This update includes the patch for that fix, as well as a fix for the critical level flaw involving memory corruption that can lead to crashes. That flaw left people using JavaScript in their mail - a practice Mozilla "strongly discourages" - open to attacks.

Schroepfer said: "Thanks to the work of our contributors we have been able to address these issues quickly in order to minimise the security risk to Firefox users."

The update is available in 37 languages from the GetFirefox.com and GetThunderbird.com websites for 1.5.0.10 versions of Firefox and Thunderbird, as well as Firefox 2.0.0.2. It is also available by clicking "Check for Updates... " in the Firefox Help menu.

Candace Lombardi writes for CNET News.com