As it turns out Firefox 22.214.171.124 IS NOT the final Firefox 2.x release. Mozilla has admitted that it missed patching a flaw in Firefox 126.96.36.199 and is now in the process of pushing out a patched version in Firefox 188.8.131.52.
The exact flaw that was missed by Mozilla is not being publicly reported at this time. At first Mozilla meeting notes on the issue simply stated:
The Firefox 184.108.40.206 build we shipped was incomplete
* Going to ship a Firefox 220.127.116.11 (sad face) as soon as possible
In a mailing list posting Mozilla developer Mike Beltzner provided just a little bit more detail.
We missed a fix due to an innocent clerical error in the build process, and will now be including it. No big deal.
Beltnzer added that it was a Windows-only omission, and happened at the point where Mozilla packages and signs builds.
Seems innocent enough. But in my opinion still a cause for concern. Reverse engineering flaws is not an easy process, but its not impossible. With simple tools like Metasploit out there that ‘weaponize’ vulnerabilities for point and click execution there is an obvious need for a quick patch here. That said, Mozilla has updated Firefox 3.x properly and it is encouraging all 2.x users to move to 3.x. So hey you Firefox 2.x users – here’s another wakeup call for you!