RealTime IT News

Path to Firefox 2.0 is Cleared

Mozilla has updated its now legacy 1.5.x Firefox browser to version 1.5.0.8, with fixes for three critical security flaws.

The flaws do not affect the recently released Firefox 2.0 version. The latest 1.5.0.8 release will also include an update that will make it easier for existing users to get major upgrades from Mozilla.

Among the critical bugs fixed in this version is titled, "Crashes with evidence of memory corruption." The crashes could have been triggered by several bugs. Mozilla's analysis: there was potential for memory corruption that potentially could have been exploited to run arbitrary code.

Mozilla Foundation Security Advisory 2006-67 discusses a flaw in which a Running Script can be recompiled. According to the advisory, it was possible to modify a Script object while it was executing, potentially leading to the execution of arbitrary JavaScript bytecode.

Mozilla has pledged that it will maintain the Firefox 1.5.x line with stability and security updates until April 24, 2007. Though Mozilla is "strongly encouraging" users to upgrade to Firefox 2.0

One of the issues for some 1.5.x users that have prevented them from upgrading to Firefox 2.0 is that, to date, Firefox 1.5.x has not "advertised" that it can be updated to version 2.0.

Firefox includes a "check for updates" feature that "advertises" updates to users. Until the 1.5.0.8 release the upgrade mechanism only had the ability to advertise minor point release upgrades as opposed to major upgrades.

Those that have downloaded Firefox 2.0 to date have done so by downloading it directly as opposed to getting an automatic update via the "check for updates" notification. While Firefox 1.5.0.8 does include the major update capability it does not yet directly notify users for Firefox 2.0. It is expected that the first major update to be advertised will be the forthcoming Firefox 2.0.1 release.