Mozilla is advising fans of Firefox to update the stable version of the browser after it released a patch for a security bug marked "critical" today.

Available for Windows, Mac, and Linux, Firefox 3.6.12 patches a heap buffer overflow that could allow for remote code execution. Mozilla notes that the bug affects the current version 3.6 branch of Firefox, the legacy version 3.5 branch, and could potentially affect Thunderbird users who load Web pages in the RSS reader.

The bug has not been found in the upcoming version 4, currently in beta development and behind schedule. Firefox 4 beta 7 was originally due in the middle of September, then pushed back to the end of September because of a stability bug. Mozilla has since initiated a code freeze on the next generation of its browser but has yet to update the schedule because of multiple critical bugs. It's expected that Mozilla's updated JavaScript engine will land in the seventh beta. Called JaegerMonkey, it's currently available for testing in the Firefox nightlies.