The 11 critical Firefox 3.5 vulnerabilities were located in a variety of components, including Web worker calls, the GIF color map parser, the string-to-number converter, a trio of third-party media libraries, and both the JavaScript and browser engines.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in some of the advisories outlining the most serious flaws.

Firefox 3.0, which was first released in the summer of 2008 and will be retired from security support in January 2010, was also updated today with the release of version 3.0.15. The older browser received nine patches, four marked critical.

The disparity between the two versions' patch counts was due to several that affected only the newer Firefox 3.5, including the three critical bugs outlined in that required upgrades of the "liboggz," "libvorbis," and "liboggplay" open-source media libraries.

Three of the four vulnerabilities spelled out in generate browser crashes, while the last affects the TraceMonkey JavaScript engine that debuted in Firefox 3.5. Mozilla recommended users disable JavaScript in Firefox if they were unable or unwilling to patch the browser. Only one of the four engine crashes impacts Firefox 3.0.