Path to Firefox 2.0 is Cleared

Mozilla has updated its now legacy 1.5.x Firefox browser to version 1.5.0.8,
with fixes for three critical security flaws.

The flaws do not affect the recently
released Firefox 2.0
version. The latest 1.5.0.8 release will also include an update
that will make it easier for existing users to get major upgrades from
Mozilla.


Among the critical bugs fixed in this version is titled,
“Crashes with evidence of memory corruption.” The crashes could have been
triggered by several bugs. Mozilla’s analysis: there was potential for memory corruption that potentially could have been exploited to run arbitrary code.


Mozilla Foundation Security Advisory 2006-67 discusses a flaw in which a
Running Script can be recompiled. According to the advisory, it was possible
to modify a Script object while it was executing, potentially leading to the
execution of arbitrary JavaScript bytecode.


Mozilla has pledged that it will maintain the Firefox 1.5.x line with
stability and security updates until April 24, 2007. Though Mozilla is
“strongly encouraging” users to upgrade to Firefox 2.0


One of the issues for some 1.5.x users that have prevented them from
upgrading to Firefox 2.0 is that, to date, Firefox 1.5.x has
not “advertised” that it can be updated to version 2.0.

Firefox includes a “check for updates” feature that “advertises” updates to users. Until the 1.5.0.8 release the upgrade mechanism only had the ability to advertise
minor point release upgrades as opposed to major upgrades.


Those that have downloaded Firefox 2.0 to date have done so by downloading
it directly as opposed to getting an automatic update via the “check for
updates” notification. While Firefox 1.5.0.8 does include the major update
capability it does not yet directly notify users for Firefox 2.0. It is
expected that the first major update to be advertised will be the
forthcoming Firefox 2.0.1 release.

News Around the Web