December 17, 2008, 9:12 AM — Mozilla has issued eight patches for its Firefox Web browser, three of which fix problems classified as critical.
The patches come after security experts have recommended using a browser other than Microsoft's Internet Explorer 7 and older versions of IE due to a dangerous vulnerability. Microsoft is due to release an emergency patch for that problem Wednesday.
Two of the critical Firefox problems could allow an attacker execute a cross-site scripting attack, in which scripts or commands from one Web application that shouldn't run in another are successfully executed. The third problem relates to Firefox's browser engine, and could make it crash or possibly allow someone to remotely execute code on a PC, Mozilla said in its advisory.
Mozilla defines a critical vulnerability as one that could allow an attacker to run code on a machine in the course of normal Web browsing.
The patches are for Firefox version numbers 3.04 and 2.0.0.18. Mozilla has said this round of patches will be the last for Firefox 2, which it will now stop supporting. The update also removes the phishing filter in Firefox 2 because the browser uses an outdated version of a protocol used to import a blocklist of phishing sites supplied by Google. Firefox 2 users are being promoted to upgrade to Firefox 3.
Firefox's auto-update mechanism should automatically download these latest patches, and users will be prompted to restart the browser to complete the process.
