aPlanned Project
Side Design Tabs Side Design Tabs
  • Bookmark and Share
    • Tweet This Article?
Leaf.

Mozilla To Drop Support For Firefox 2

  • Published by: Christopher Hennis
  • November 17, 2008

Mozilla has decided to end support for Firefox 2 around mid-December, just two weeks after releasing Firefox 3.0.4 (download for Windows and Mac) and Firefox 2.0.0.18 to address a dozen security flaws, half of which the browser maker ranks as critical.

This is all part of Mozilla’s new policy referred to as “EOL”, or “End Of Life”. The policy ends support for any product 6 months after a newer version is released. With so many bugs being discovered, critical bugs, and with the amount of internet users who are still using the Firefox 2 chain of browsers, you have to ask yourself if this is a good idea or not. Yes, there is a policy in place, and a policy isn’t a policy unless you adhere to it and police it, but exceptions can be made. I for one don’t think anyone would ultimately hold Mozilla accountable for breaking said policy, especially when so many internet users are still at risk of such dangerous attacks as arbitrary code being executed within infected Flash Media files.

No support will mean just that; No more security updates, no new features, no nothing essentially. While this will not spawn anarchy on the internet, it will spawn a lot of potential problems for those who procrastinate to upgrade their browser version, and let’s not forget about the percentage of those who surf the internet and have no concept even of the importance of doing so. Just take a look at IE6 and the amount of internet users who are still using that browser.

And yes, there’s more; Support will also cease for the Gecko 1.8 layout engine that underlies both Firefox 2 and the Thunderbird 2 email client. The move will affect a range of third-party Gecko-based browsers, such as SeaMonkey, the Mac-only Camino and the Unix/Linux browser Galeon.

Mozilla is pressing on with the transition despite criticisms of Firefox 3 from some quarters, including some organisations that have found the newer browser unusable due to particular bugs.
Some users have noted that Firefox 3 appears to be more prone to crashing than the older browser, and has problems with using too much memory. The browser’s new location bar has also come in for criticism. Earlier this month, a system administrator for the University of Bergen commented that a bug related to the use of network drives had meant the organisation could not install Firefox 3.

Mozilla assured developers that support would continue for Thunderbird 2 past December, despite the fact that it is based on the now-outmoded Gecko 1.8 engine.
“Mozilla (in some form) will provide support for Thunderbird based on the official lifecycle policy,” said Mozilla’s Michael Connor in a recent message to the Mozilla planning mailing list.

The support situation for third-party browsers based on Gecko 1.8 is more ambiguous, according to Firefox director Mike Beltzner. While he acknowledged that Mozilla developers’ focus would no longer be on Gecko 1.8, he said third-party developers would still be free to maintain the software and fix bugs.

Wow, thank you so much for allowing us the freedom to do such a thing, Mike. And I’m sorry if I sound a bit sarcastic and loathsome, but I for one think this is a terrible idea to go through with, especially with the amount of vulnerabilities found in Firefox as of late. I can’t help but wonder if Mozilla is feeling the pressure of Google’s own web browser: Chrome. What do you guys think?

The critical Firefox vulnerabilities:

  • A crash and remote code execution is possible in nsFrameManager. This vulnerability can be exploited by modifying certain properties of a file input element before it has finished initialising. Details can be found in CVE-2008-5021.
  • There is a buffer overflow in http-index-format parser as a result of the way Mozilla parses the http-index-format Mime type. Mozilla said by sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer. Details can be found in CVE-2008-0017.
  • Mozilla said the browser’s session-restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Details can be found in CVE-2008-5019.
  • Mozilla developers identified and fixed several stability bugs which may cause crashes in the browser engine used in Firefox and other Mozilla-based products. Details can be found in CVE-2008-5016 and CVE-2008-5017.
  • Mozilla said by tampering with the window.__proto__.__proto__ object, a remote attacker can cause the browser to place a lock on a non-native object, leading to a crash and possible execution of arbitrary code. Details can be found in CVE-2008-5014.
  • Mozilla said an SWF file that dynamically unloads itself from an outside JavaScript function can cause the browser to access a memory address no longer mapped to the Flash module, resulting in a crash. This crash could be used by an attacker to run arbitrary code on a victim’s computer. Details can be found in CVE-2008-5013.

Visit Mozilla Foundation Security Advisories

Subscribe to our RSS Feed

Related Posts

Posted In

articles > firefox > mozilla > news > webapplications

Last Modified

This post was last modified on January 1, 2009
  • Digg
  • del.icio.us
  • Mixx
  • Google
  • Live
  • Technorati
  • Propeller
  • StumbleUpon
  • TwitThis
  • BlinkList
  • Facebook
  • NewsVine
  • LinkedIn
  • Reddit
  • MisterWong
  • Simpy

Leave a Reply

Our Homies.
friends bottom
Browse JungleJar By Category
Web Development (Computers & The Internet) - TOP.ORG TopOfBlogs
Footer Fab Left Footer Fab
© JungleJar.com 2007-2009 All Rights Reserved.