Mozilla plugs 13 holes in Firefox, retires older 2.0 browser
Urges Firefox 2.0 users to upgrade to the newer version as it drops support and ditches antiphishing protection
Computerworld - Mozilla Corp. late yesterday patched 13 bugs in Firefox, nearly half of them labeled "critical," as it closed support for the two-year-old Firefox 2.0 by releasing that version's final security update.
The update patched slightly more vulnerabilities in Firefox than the last two security updates in November and late September.
Firefox 3.0.5 fixes a total of 11 flaws, six rated "critical," one "high," one "moderate" and three "low" in Mozilla's four-step scoring system. Most of the critical bugs could be used by hackers to crash the browser, introduce their own malicious code into a vulnerable system or both.
Mozilla also updated the older Firefox 2.0 line to Version 126.96.36.199, patching 10 vulnerabilities in all, eight of them shared with 3.0.5. Of the total, only three were rated critical.
As per Mozilla's support policy, yesterday's Firefox Version 188.8.131.52 was the final security update for the browser that debuted in October 2006. "Mozilla is not planning any further security and stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible," said Samuel Sidler, a Mozilla engineer, in a post to the "mozilla.dev.planning" message group yesterday. "It's free, and your settings and bookmarks will be preserved."
Although the older browser is now officially retired, users can, of course, continue to use it. However, as Sidler mentioned, Mozilla has urged users to upgrade to Firefox 3.0, which launched last June. Since then, it has twice offered what it dubs a "major update" to users of the older browser, hoping to get them to move up. The most recent upgrade offer went out two weeks ago. Mozilla plans to make one final offer sometime early next month.
Compounding the retirement of Firefox 2.0 is Mozilla's decision to drop antiphishing protection from yesterday's Firefox 184.108.40.206. Done at Google Inc.'s request -- the search company produces the blacklist of risky sites -- the withdrawal means that users won't be warned of potentially dangerous URLs before they reach them.
Google asked Mozilla to disable the feature in Firefox 220.127.116.11 because the older browser line uses an obsolete protocol.
While there are no Mozilla-provided work-arounds, users who want to stick with the older browser can turn to alternative tools, including the Netcraft Toolbar, WOT (Web of Trust) and FirePhish extensions. All three can be downloaded from Mozilla's add-on site.
The new versions of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site, or users can call up their browser's built-in updater or wait for the automatic update notification, which should pop up in the next 48 hours.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts