Firefox, open source

Another day, another browser (or two) patched for security vulnerabilities.

This time, it's Mozilla updating its open source Firefox Web browsers to versions 3.0.5 and for at least 10 different vulnerabilities, four of which are critical.

The release covers more than security updates. The Firefox 3.0.05 release also replaces the Mozilla Firefox End User License Agreement (EULA). In addition, the update is the end of the line for security updates to the 2.x series.

"Mozilla is not planning any further security and stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible," Mozilla developer Samuel Sidler wrote in a mailing list posting.

The Firefox 2.x series debuted in October of 2006.

Changes to the Mozilla EULA had been under discussion since at least September of this year.

The issue among many supporters was whether Firefox needed a EULA, given that the software is open source. Mozilla has now replaced the EULA with a new "Know Your Rights" info bar on initial install, which explains what users are able to do with the software.

Regarding the critical security fixes, Mozilla has patched three different cross site scripting vulnerabilities with the update. The Mozilla Foundation Security Advisory 2008-68 details a XSS and JavaScript privilege escalation issue that could potentially allow for arbitrary script execution.

On the other hand, Mozilla's Security Advisory 2008-69 fixes XSS vulnerabilities in Firefox's SessionStore.

"Mozilla security researcher moz_bug_r_a4 reported vulnerabilities in the session-restore feature by which content could be injected into an incorrect document storage location, including storage locations for other domains," Mozilla's advisory warns. "An attacker could utilize these issues to violate the browser's same-origin policy and perform an XSS attack while SessionStore data is being restored."

This article was first published on To read the full article, click here.