Another day, another browser (or two) patched for security vulnerabilities.
This time, it’s Mozilla updating its open source Firefox Web browsers to versions 3.0.5 and 18.104.22.168 for at least 10 different vulnerabilities, four of which are critical.
The release covers more than security updates. The Firefox 3.0.05 release also replaces the Mozilla Firefox End User License Agreement (EULA). In addition, the 22.214.171.124 update is the end of the line for security updates to the 2.x series.
“Mozilla is not planning any further security and stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible,” Mozilla developer Samuel Sidler wrote in a mailing list posting.
Changes to the Mozilla EULA had been under discussion since at least September of this year.
The issue among many supporters was whether Firefox needed a EULA, given that the software is open source. Mozilla has now replaced the EULA with a new “Know Your Rights” info bar on initial install, which explains what users are able to do with the software.
On the other hand, Mozilla’s Security Advisory 2008-69 fixes XSS vulnerabilities in Firefox’s SessionStore.
“Mozilla security researcher moz_bug_r_a4 reported vulnerabilities in the session-restore feature by which content could be injected into an incorrect document storage location, including storage locations for other domains,” Mozilla’s advisory warns. “An attacker could utilize these issues to violate the browser’s same-origin policy and perform an XSS attack while SessionStore data is being restored.”
Google security researcher Marius Schilder is credited by Mozilla for reporting the XMLHttpRequest (XHR)
The Firefox 3.0.5 update comes nearly a month after Mozilla issued its Firefox 3.0.4 update. It also comes as Mozilla rival Microsoft is rushing out an out of cycle patch for a critical zero day flaw in the dominant Internet Explorer Web browser.
And development work moves on. Mozilla continues to oversee work on its next generation Firefox 3.1 browser, which hit its Beta 2 milestone earlier this month.