The critical flaws are in Firefox 3.5.8 and Firefox 3.0.18 and affect the browsers' Gecko rendering engines, the HTML parsers, and their implementations of Web Worker. The bugs could allow a hacker to inject their own malware onto the machine. According to this advisory:
Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
The remaining two vulnerabilities are rated "moderate" and could be exploited in cross-site scripting attacks.
Firefox 3.6 does not need to be updated as the vulnerabilities were addressed when the browser shipped on Jan. 21.