A security researcher at MWR InfoSecurity known simply as Nils identified a flaw in Firefox 3.6.x that could be exploited to run arbitrary code. He won a Sony Vaio notebook, $US10,000, and other benefits relating to contest sponsor Tipping Point's Zero Day Initiative.
According to the security advisory from Mozilla, "By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its old scope. If garbage collection could be triggered at the right time then Firefox would later use this freed object."
The release notes imply this is the only fix in version 3.6.3.
Mozilla has indicated that while Nils' exploit is only useful against Firefox 3.6.x, the underlying bug will be patched in a future release of version 3.5.x "just in case there is an alternate way of triggering the bug."
Users of Firefox on Windows or Mac OS X may most easily update to the new version by using the Check for Updates command. The most recent versions of Firefox and other Mozilla programs may be downloaded here.