Crash when plugin removes itself on Mac OS X
FireBreath developer Richard Bateman reported a crash on Mac OS X that occurred when a plugin deletes its containing DOM frame during a call from that frame. The observed symptom is a null dereference but we cannot rule out the possibility that content from a scriptable plugin such as Flash could find a way to dereference a more useful address and exploit it.
Accessing remote content is disabled by default When reading mail in Thunderbird and SeaMonkey. Successfully capturing keystrokes remotely would require some social engineering to convince the user to turn it on.
nsSVGValue out-of-bounds access
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler.
This vulnerability does not affect products prior to Firefox 8 and SeaMonkey 2.5. Thunderbird 8 users would be vulnerable only if using a browser-like feature that allowed scripts to run; users are not at risk while reading mail.
Potentially exploitable crash in the YARR regular expression library
Miscellaneous memory safety hazards
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.
These vulnerabilities did not affect the older browser engine used prior to Firefox 4.