Mozilla Foundation released updates for Firefox that fix five vulnerabilities present in both the 2.0.0.x and 1.5.0.x versions of the browser. One vulnerability could lead to browser crashes, and Mozilla considers that vulnerability to be critically dangerous. Another vulnerability rated as highly dangerous could let intruders inject scripts from one site into another site. Such cross-site scripting violates the browser's same-origin policy. The other three vulnerabilities are rated as low risks and involve problems with cookie path abuse, Denial of Service (DoS) by using the browser's autocomplete feature for form input, and spoofing content by exploiting pop-up features.
The new versions, Firefox 2.0.0.4 and Firefox 1.5.0.12 correct the vulnerabilities. A spokesperson for Mozilla said, "We anticipate this to be the last release in the Firefox 1.5.0.x series." So unless a serious problem is discovered in the 1.5.0.x series, there won't be any further updates made available. The foundation provides support for legacy versions for six months after a major version release becomes available. Support for 1.5.0.x had already been extended beyond the six month window "to accommodate some recent changes in update functionality."
"Over the coming weeks, Mozilla will be presenting 1.5.0.12 users with a notification message that will offer users a 'major update' to Firefox 2. Upon confirmation \[by the user, the\] browser will be upgraded from 1.5.0.12 to 2.0.0.4," the spokesperson said.
Firefox 2.0.0.4 also fixes several problems that occur when the browser is used on Windows Vista
