Critical vulnerabilities can let a remote attacker run arbitrary code on a computer. With Web browsers becoming both more important and more powerful, browser makers must constantly watch for new attack possibilities.
Firefox 3.6 also gets a new general approach to cut down browsing risks: support for what's called the X-Frame-Options HTTP response header. Web site developers can use this technology to block browsers from showing their Web sites inside a frame--essentially a smaller window within the browser window. Putting a legitimate site inside a frame on a malicious site is one approach for attacks called clickjacking, in which the malicious site can capture keystrokes such as usernames and passwords.
The link for this article located at CNET is no longer available.
