More critical security flaws revealed and fixed in Firefox 2

Stephen Withers
Wednesday, 02 July 2008 14:15

Business IT - Open Source

Firefox 3 arrived with a bang last month, but its predecessor is still being maintained. Version 2.0.0.15, released this week patches a dozen security flaws, five of them rated critical.

At least two of the critical vulnerabilities permit the execution of arbitrary code, and another involves crashes with memory corruption, often taken as a sign that it may be possible to exploit the bug to trigger code execution.

Among the four high impact vulnerabilities fixed in 2.0.0.15 is one that's specific to Java LiveConnect on Mac OS X and allows arbitrary socket connections. Another in the category could be exploited to trigger the upload of arbitrary files.

Two of the remaining vulnerabilities were judged to be of moderate impact, and one was rated low (the category used for minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs).

Mozilla has not yet published security advisories for these bugs. One possible explanation is that a critical flaw found in Firefox 3.0 also existed in version 2.0.x, and a fix for the the new browser has yet to be released.
 
Even with the development of Firefox 3, there has been no shortage of updates for its predecessor during 2008. Version 2.0.0.14 appeared in April, 2.0.0.13 in March, and 2.0.0.12 in February. All contained one or more critical fixes.

Around 28 million copies of Firefox 3.0 have been downloaded from Mozilla's network or mirror sites.

According to Net Applications, Firefox 2 accounts for 16 percent of web usage, with Firefox 3 taking 2 percent. That's quite different from iTWire's readership, which is over 30 percent Firefox 3 and over 25 percent Firefox 2.