Mozilla Corp. late Tuesday patched 11 vulnerabilities in Firefox 3.0, more than half of them labeled "critical," and fixed 14 flaws in the older Firefox 2.0 Mozilla Corp. late Tuesday patched 11 vulnerabilities in Firefox 3.0, more than half of them labeled “critical,” and fixed 14 flaws in the older Firefox 2.0.Firefox 3.0.2 quashes six critical bugs, four marked “high,” and one pegged as “low” in Mozilla’s four-step threat ranking system. Among the most serious were four stability bugs in the browser’s graphics rendering, layout and JavaScript engines that can crash the program and might be exploitable with malicious code.“Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” said Mozilla in the accompanying advisory.Mozilla also updated the older Firefox to 2.0.0.17, patching all but one of the bugs fixed in 3.0.2, but also addressing several issues specific to the aging browser. It’s unclear how many more updates Mozilla will release for Firefox 2.0 — it doesn’t produce them on a set schedule — because it has already announced it will drop the browser this December. Yesterday, Mozilla continued to urge users to upgrade to Firefox 3.0.One of the bugs in both Firefox 2.0 and 3.0, although rated only low, was described by Mozilla as a variant of a “click-hijacking” vulnerability first reported in Microsoft Corp.’s Internet Explorer by Liu Die Yu, a researcher noted for finding flaws in IE. Microsoft first patched the bug in 2003, then patched it again the following year. A Mozilla developer, Paul Nickerson, was credited with uncovering the Firefox variant, which could be used to force a user to download a file.Mozilla also addressed several other issues in Firefox with 3.0.2, including several stability problems and a bug that caused browsers with customized toolbars to delete the back and forward buttons.Because the update was delayed to take into account some last-minute fixes, Mozilla also modified the licensing language in Linux versions to eliminate an end-user licensing agreement (EULA) that open-source advocates and users had objected to. Last week, Mitchell Baker, chairman of the Mozilla Foundation and Mozilla Corp., admitted that prompting Linux users to accept the EULA had been a “giant mistake.”Users can download the update for Windows, Mac OS X and Linux from the Mozilla site, call up their browser’s built-in updater or wait for the automatic update notification, which typically appears within 24 to 48 hours. Related content feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Intrusion Detection Software Intrusion Detection Software feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe