Editor’s Note: This story is excerpted from Computerworld. For more Mac coverage, visit Computerworld’s Macintosh Knowledge Center.
After patching its older Firefox 2.0 Tuesday to quash 13 bugs, Mozilla announced that it would end support for the browser in mid-December.
Mozilla last patched Firefox 2.0 in April.
Firefox 2.0.0.15 addresses 13 vulnerabilities, five of them rated “critical” by the open-source company, according to advisories posted on Mozilla’s site Tuesday. Of the remaining bugs, 4 were labeled “high,” 2 as “moderate,” and 2 as “low.”
Three of the five critical flaws could be exploited by attackers to execute malicious code, said Mozilla, while the last two, pegged as “crashes with evidence of memory corruption” by the developer and involving JavaScript, might lead to code execution exploits.
Interestingly, one of the critical vulnerabilities isn’t within the browser per se, but crops up only when one or more add-ons, dubbed “extensions” by Mozilla, are also installed. “Firefox itself does not use this feature in a vulnerable way and users who have not installed any add-ons are not at risk,” read the advisory. “We have, however, identified popular add-ons using this feature whose users are at risk and there are no doubt others.”
Among the extensions called out by Firefox programmers in the write-up on Bugzilla, Mozilla’s bug tracking and management system, was Google’s Google Toolbar.
While some of the vulnerabilities’ advisories specifically said that Firefox 3.0 is not affected or that the bug had been crushed before Mozilla rolled out the final version of its new browser June 17, the two ranked “low” omitted mention of Firefox 3.0.
Firefox 2.0.0.15 can be downloaded from the Mozilla site in versions for Windows, Mac OS X and Linux. Users running Firefox 2.0 can call up the browser’s built-in updater or wait for the automatic update notification, which typically appears within 24 to 48 hours after Mozilla posts a new version.
Mozilla also noted on its Web site Wednesday that Firefox 2.0 would roll off its support list in the middle of December 2008, approximately six months after the release of Fire 3.0.
“Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008,” the company said. “All users are encouraged to upgrade to Firefox 3.”
Mozilla’s standard policy is to support older software for only six months after the release of a major update. Last year, however, the company extended the support lifespan of Firefox 1.5 by about a month, saying it needed more time to craft one last security patch for the browser.