Mozilla patches 13 bugs in Firefox 2

Computerworld - After patching its older Firefox 2.0 yesterday to quash 13 bugs, Mozilla Corp. announced that it would end support for the browser in mid-December.

Mozilla last patched Firefox 2.0 in April.

Firefox 2.0.0.15 addresses 13 vulnerabilities, five of which the open-source company rated "critical," according to advisories posted on Mozilla's site Tuesday. Of the remaining bugs, four were labeled "high," two as "moderate," and two as "low."

Three of the five critical flaws could be exploited by attackers to execute malicious code, said Mozilla, while the last two, involving JavaScript and pegged by the developer as "crashes with evidence of memory corruption," might lead to code-execution exploits.

Interestingly, one of the critical vulnerabilities isn't within the browser per se, but crops up only when one or more add-ons, dubbed "extensions" by Mozilla, are also installed. "Firefox itself does not use this feature in a vulnerable way, and users who have not installed any add-ons are not at risk," read the advisory. "We have, however, identified popular add-ons using this feature whose users are at risk, and there are no doubt others."

Among the extensions called out by Firefox programmers in the writeup on Bugzilla, Mozilla's bug tracking and management system, was Google Inc.'s Google Toolbar.

All 13 vulnerabilities patched yesterday in Firefox 2.0.0.15 had been fixed before Mozilla rolled out the final version of its new browser on June 17, a company spokeswoman said today. "Some were fixed months ago by nature of [Firefox's] re-architecture, others were fixed before release of Firefox 3 final," the spokeswoman said in an e-mail.

Firefox 2.0.0.15 can be downloaded from the Mozilla site in versions for Windows, Mac OS X and Linux. Users running Firefox 2.0 can call up the browser's built-in updater or wait for the automatic update notification, which typically appears within 24 to 48 hours after Mozilla posts a new version.

Mozilla also noted on its Web site today that Firefox 2.0 would roll off its support list in the middle of December 2008, approximately six months after the release of Firefox 3.0.

"Firefox 2.0.0.x will be maintained with security and stability updates until mid-December 2008," the company said. "All users are encouraged to upgrade to Firefox 3."

Mozilla's standard policy is to support older software for only six months after the release of a major update. Last year, however, the company extended the support lifespan of Firefox 1.5 by about a month, saying it needed more time to craft one last security patch for the browser.