Mozilla plugs 13 holes in Firefox, retires older 2.0 browser

Computerworld - Mozilla Corp. late yesterday patched 13 bugs in Firefox, nearly half of them labeled "critical," as it closed support for the two-year-old Firefox 2.0 by releasing that version's final security update.

The update patched slightly more vulnerabilities in Firefox than the last two security updates in November and late September.

Firefox 3.0.5 fixes a total of 11 flaws, six rated "critical," one "high," one "moderate" and three "low" in Mozilla's four-step scoring system. Most of the critical bugs could be used by hackers to crash the browser, introduce their own malicious code into a vulnerable system or both.

Among the most serious were a trio of vulnerabilities in the browser's layout and JavaScript engines, while others included XML binding and session restore bugs that could let hackers conduct cross-site scripting attacks, which are often used in sophisticated identity theft schemes. Yesterday's fixes in the layout and JavaScript engines follow an identical number of patches applied to the same components last month.

The single vulnerability pegged as high also involves data theft, but how much information criminals might be able to steal was tough to predict, Mozilla said. "How much data could be at risk would depend on the format of the data and how the JavaScript parser attempts to interpret it," the advisory said. "For most files, the amount of data that can be recovered would be limited to the first word or two. Some data files might allow deeper probing with repeated loads."

Mozilla also updated the older Firefox 2.0 line to Version 2.0.0.19, patching 10 vulnerabilities in all, eight of them shared with 3.0.5. Of the total, only three were rated critical.

As per Mozilla's support policy, yesterday's Firefox Version 2.0.0.19 was the final security update for the browser that debuted in October 2006. "Mozilla is not planning any further security and stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible," said Samuel Sidler, a Mozilla engineer, in a post to the "mozilla.dev.planning" message group yesterday. "It's free, and your settings and bookmarks will be preserved."

Although the older browser is now officially retired, users can, of course, continue to use it. However, as Sidler mentioned, Mozilla has urged users to upgrade to Firefox 3.0, which launched last June. Since then, it has twice offered what it dubs a "major update" to users of the older browser, hoping to get them to move up. The most recent upgrade offer went out two weeks ago. Mozilla plans to make one final offer sometime early next month.

Compounding the retirement of Firefox 2.0 is Mozilla's decision to drop antiphishing protection from yesterday's Firefox 2.0.0.19. Done at Google Inc.'s request -- the search company produces the blacklist of risky sites -- the withdrawal means that users won't be warned of potentially dangerous URLs before they reach them.

Google asked Mozilla to disable the feature in Firefox 2.0.0.19 because the older browser line uses an obsolete protocol.

While there are no Mozilla-provided work-arounds, users who want to stick with the older browser can turn to alternative tools, including the Netcraft Toolbar, WOT (Web of Trust) and FirePhish extensions. All three can be downloaded from Mozilla's add-on site.

Mozilla Messaging's Thunderbird e-mail client, which relies on the Firefox rendering engine for JavaScript and other functionality, was not patched yesterday. It remains at Version 2.0.0.18. Until Thunderbird catches up -- an update is expected in early January -- users can protect themselves against the related Firefox vulnerabilities by disabling JavaScript in the e-mail program.

The new versions of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site, or users can call up their browser's built-in updater or wait for the automatic update notification, which should pop up in the next 48 hours.

Read more about Security in Computerworld's Security Topic Center.