Forum Thread: Firefox 2 isn't tagged as End-of-Life yet

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
Alan_Baxter Firefox 2 isn't tagged as End-of-Life yet
Member 1st Mar, 2009 03:05
Ranking: 0
Posts: 61
User Since: 1st Mar, 2009
System Score: N/A
Location: US
I think Firefox 2 should be tagged as End-of-Life. It received its last security update on 18 December 2008. With the release of Firefox 3.0.6 on 3 February, vulnerabilities were patched that aren't patched in Firefox 2. Firefox 2 is insecure because it's unpatched. It should be tagged as End-of-Life because no security patches are planned.

Am I reporting this in the right place for providing feedback to the Secunia team?

Bob_Primak RE: Firefox 2 isn't tagged as End-of-Life yet
Member 1st Mar, 2009 08:26
Score: 0
Posts: 45
User Since: 28th Feb 2009
System Score: N/A
Location: Hinsdale, Illinois, US
Last edited on 1st Mar, 2009 08:27
Agreed. And I am sure someone will see this. Remember, Secunia OSI and PSI are not version checkers. They only report programs where serious security flaws have been demonstrated.

-- Bob --

--
-- Bob --
Was this reply relevant?
+0
-0
Alan_Baxter RE: Firefox 2 isn't tagged as End-of-Life yet
Member 1st Mar, 2009 08:49
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
Last edited on 1st Mar, 2009 08:51
on 1st Mar, 2009 08:26, Bob_Primak wrote:
Remember, Secunia OSI and PSI are not version checkers. They only report programs where serious security flaws have been demonstrated.

Good point, Bob. I wouldn't be surprised if the last version of Firefox 2 has many if not all of the vulnerabilities patched in Firefox 3.0.6. I think they haven't been reported only because there's no Firefox 2 specific patch available. Secunia is making a mistake here by not reporting these as Firefox 2 vulnerabilities too. Surely the bad guys know about them, now that they've been publicized by the Firefox 3.0.6 patch and vulnerability report.

After further consideration, I think Firefox 2 should be tagged as Insecure instead of End-of-Life. After all, it's "patched" by Firefox 3.

Vulnerabilites patched in Firefox 3.0.6
From http://secunia.com/advisories/33799/
(unknown source)
Mozilla Firefox Multiple Vulnerabilities
Secunia Advisory: SA33799
Release Date: 2009-02-04
Popularity: 7,360 views
Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
Exposure of system information
Exposure of sensitive information
System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x
Was this reply relevant?
+0
-0
Bob_Primak RE: Firefox 2 isn't tagged as End-of-Life yet
Member 1st Mar, 2009 09:14
Score: 0
Posts: 45
User Since: 28th Feb 2009
System Score: N/A
Location: Hinsdale, Illinois, US
Insecure vs End of Life is splitting hairs. It should be flagged for action either way.

--
-- Bob --
Was this reply relevant?
+0
-0
Alan_Baxter RE: Firefox 2 isn't tagged as End-of-Life yet
Member 1st Mar, 2009 16:23
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
The hair might be thick enough to matter. It seems like some, if not all, End-of-Life programs aren't reported in the Simple interface mode. I have one like that on my system. In the case of Firefox 2, it's especially important that non-advanced users be informed they're using a browser with multiple Highly Critical vulnerabilities.
Was this reply relevant?
+0
-0
Bob_Primak RE: Firefox 2 isn't tagged as End-of-Life yet
Member 1st Mar, 2009 19:42
Score: 0
Posts: 45
User Since: 28th Feb 2009
System Score: N/A
Location: Hinsdale, Illinois, US
Last edited on 1st Mar, 2009 19:42
Which is why I use the Advanced User Interface. That is not splitting hairs.

--
-- Bob --
Was this reply relevant?
+0
-0

This thread has been marked as locked.