Rather than repeating all the patches I’ll direct you to news.com which has a good summary of the patches along with links to the individual bulletins. The patches are available through automatic updates or individual downloads.

Happy patching and good luck.

One “critical” and one “moderate” vulnerabilities are patched in this update. The critical update is “Unescaped URIs passed to external programs” which is similar to the vulnerability that was found when IE 7 passed a malformed URI to Firefox.

The moderate vulnerability is “Privilege escalation through chrome-loaded about:blank windows”. This was dependant on add-ons creating about:blank windows.

Two other vulnerabilities were rated as “critical” by the Firefox team. A critical rating means:

Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Two vulnerabilities were rated as “high” which means:

Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.

The remaining three vulnerabilities where rated as moderate (1) or low(2).

The update will be installed through Firefox’s auto-update feature. You can force an update check by going to the Help on the menu and selecting “Check for Updates…”. You can also download the full version from the website and run the installation over your current installation. The update is for all languages on all operating systems.

The patch may be installed through the auto update feature of Flash Player or you can visit the About Flash Player page to see what version you have installed and download the update. You can also go directly to the Adobe Flash Player download page. If you run Flash under multiple browsers you’ll have to update the player for each browser. You’ll need to close all browser windows during the installation. The update is for Flash Player on both Windows and OS X.

The Quicktime update, to version 7.2 includes eight security vulnerability fixes some of which will allow code execution. It also includes updates to the H.264 codec, support for full screen viewing and “numerous bug fixes”. The update requires a reboot on both Mac and Windows.

The iTunes update brings iTunes to 7.3.1 and fixes a problem with iTunes 7.3 accessing the library. No other changes are documented.

Both patches are available through Apple software update or from the Apple download page.

Some impacts of a buffer overflow might include the introduction of executable code, being involuntarily logged out of a Chat and/or Instant Messaging session, and the crash of an application such as Internet Explorer. For this specific security issue, these impacts could only be possible if an attacker is successful in prompting someone to view malicious HTML code, most likely executed by getting a person to visit their web page.

The vulnerability exists in any Windows version of Messenger that was downloaded before June 8th. The vulnerability exists in the Windows version only. Mac, Mobile and Unix versions of Messenger are not affected. To update you need to download and run the full Messenger installation.

Enhancements include “enchancements and fixes for Windows Vista” and support for two new languages – Afrikaans (af) and Belarusian (be).

Beginning with version 2.0.0.3 there was a problem with the Java Console which is documented by Mozilla, this also exists with this update.

The Sun JRE installs a Java console extension in the program directory, which is not visible in Tools -> Add-ons. JRE 6 is not compatible with Firefox 2.0.0.3 due to the manifest file setting the maximum version number to 2.0.0.0. This causes a message about the Java console being disabled when you upgrade to Firefox 2.0.0.3. If you change that number to 2.0.0.* configure the Java control panel to show the Java console and run a Java applet, sometimes the console will work, other times it will hang Firefox (so it seems to be more than just a version check problem)

You’ll probably receive a warning that this add-on isn’t compatible when you install this update. If you need the java console refer to the FAQ for alternatives.

The update is available through Firefox’s built-in update function or you can download it from Mozilla.

Firefox 1.5 was also updated to Firefox 1.5.0.12 and includes similar updates. Mozilla has stated they intend this to be the last update to the 1.5 branch of their product.

Apple has also released an update to iTunes that now includes support for DRM free music. This update doesn’t have any security implications.