A number of security flaws, some of them serious, have been discovered in older 1.4.x versions of the Mozilla browser suite.

The Mozilla Project has released updates to the current versions of Mozilla, the Firefox stand-alone browser and the Thunderbird email application - Firefox 0.9.3, Thunderbird 0.7.3 and Mozilla 1.7.2 - to deal with security flaws that may have carried over from version 1.4.x. Linux vendors such as Red Hat also released a patch for Mozilla 1.4.x that fixes the bugs.

The Mozilla 1.4.x bugs include several problems with libpng, a library used in displaying PNG graphics files, and which is used by numerous applications. Other problems include improper input validation to the SOAPParameter object constructor, exploitable by malicious JavaScript; a bug in the POP3 capability, script injection and unauthorised upload from a victim's computer.

Some of the bugs could allow an attacker to execute arbitrary code on a system, but most do not affect the most recent versions of the software.

The Mozilla Project said it believed four of the bugs did affect Mozilla 1.7.x. These include the libpng flaws, two spoofing bugs and a CA certificate flaw that allows a denial-of-service on SSL pages. The libpng flaws could be used to execute arbitrary code on a system by tricking a user into viewing a specially-crafted graphics file.

Red Hat's advisory can be found here. The most recent Mozilla software can be downloaded here.

In an effort to encourage researchers to report flaws in Mozilla's browsers, the Mozilla Project recently announced an initiative to award a $500 cash prize for finding critical bugs. Company officials admitted, however, that the sum was nominal - more of a "thank you" than a serious incentive.