The Firefox developer has issued updates to address "critical vulnerabilities" in versions 2 and 3 of its open-source browser.

Firefox describes a critical vulnerability as one that can be used to run attacker code and install software without user interaction beyond normal browsing.

Security, Stability, Accessibility

Firefox 3.0.5 and Firefox 2.0.0.19 are now available for Windows , Mac and Linux . Firefox 3.0.5 fixes eight security vulnerabilities, three of them critical. The critical fixes include XSS vulnerabilities in SessionStore, XSS and JavaScript privilege escalation, and crashes with evidence of memory corruption .

The Firefox 3.0.5 update also fixes several stability issues and issues found in accessibility implementation, adds the ability to send OS-specific system notes in the crash reporter, and replaces the End-User License Agreement with a new "Know Your Rights" info bar on the initial installation. With Firefox 3.0.5, the browser becomes available in Bengali, Esperanto, Galician, Hindi and Latvian.

Discontinuing Firefox 2 Support

"Mozilla is not planning any further security and stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible. It's free, and your settings and bookmarks will be preserved," the Firefox advisory said.

Firefox 2.0.0.19 fixes 10 bugs in the browser, four of which are critical. The critical patches fix XSS vulnerabilities in the SessionStore, XSS and JavaScript privilege escalation, additional XSS attack vectors in feed preview, and crashes with evidence of memory corruption.

"Also, the Phishing Protection service will no longer be available for Firefox 2 users," Firefox said. "Firefox 3 offers a free Phishing and Malware Protection service, which will continue to protect you from online scams and attacks."

Browser Insecurities

These highly critical vulnerabilities found in Firefox show that no browser is immune to programming flaws, according to Wolfgang Kandek, CTO of Qualys.

"A program as powerful and complex as Firefox -- or for that matter, Internet Explorer -- has a high chance to contain vulnerabilities in its myriads of features," Kandek said. "In this case one of the vulnerabilities abuses the Firefox 'SessionStore' API, which is a comfort feature of Firefox, and unnecessary for normal Internet browsing."

As Kandek sees it, a smaller, leaner browser will most likely be able to maintain a better security record than its over-featured competitors. That assumption leaves the door open for a browser like Google's Chrome.

"It will be interesting to see how Google¹s Chrome browser fares in comparison to both Firefox and Internet Explorer," Kandek said. "On the positive side, Firefox's integrated upgrade mechanism provides users a quicker update cycle than Microsoft's OS-based update program and assures that Firefox users are always using the latest and safest version of the software."