The reason for the last Firefox 2 release: multiple security fixes

If the manufacturer of a product acknowledges a series of potentially hazardous defects before anyone else can be hurt by them, and the solution is already available, perhaps the word "responsibility" applies in a good way.

In a clever and, in retrospect, appropriate handling of what might otherwise have been categorized as a security mess, Mozilla released a new build of Firefox 2 on Tuesday, just prior to its acknowledgment of no fewer than twelve security vulnerabilities affecting prior versions, discovered by twelve separate sources. As it turns out, version 2.0.0.15 contains the fix for those problems.

With two solutions to these problems already in wide deployment -- the second being Firefox 3 -- and with a dozen or more private engineering teams dedicated to finding vulnerabilities before someone else does, the possible pervasiveness of any "zero-day" exploits inspired by the vulnerabilities' disclosure, as reported by Secunia yesterday, is clearly reduced.

It's also clear that the balance of innovation is shifting to the good guys. One of the twelve exploits, for instance, concerns how Firefox was implementing a protective wrapper that kept scripts from being capable of running arbitrary code. An engineer with the handle moz_bug_r_a4 discovered that this protective wrapper was only being applied to Firefox's own scripts, and not to scripts that are either employed by third-party add-ons or to dynamically generated scripts, pieced together in memory by means of other scripts.

"Firefox itself does not use this feature in a vulnerable way and users who have not installed any Add-ons are not at risk," the organization acknowledged on Tuesday. "We have, however, identified popular Add-ons using this feature whose users are at risk and there are no doubt others."

In another addressed vulnerability, also rated "Critical," a team of five researchers apparently went to work exploring all the classic cases of memory corruption that occur when Firefox 2 crashed -- and it did that quite often. (Seems so long ago already.) Could security holes on account of memory corruption be exploited, maybe if the user restarts Firefox 2 without rebooting the computer first?

Though that question wasn't completely answered, the evidence was apparently pointing in a bad direction. "We presume that with enough effort at least some of these could be exploited to run arbitrary code," the organization said.