Mozilla has patched 14 vulnerabilities – three of them critical – in its open source Firefox browser.
But it has released the new versions with several flaws still unfixed. Firefox 184.108.40.206 and Firefox 220.127.116.11, which were originally due to be released on Wednesday, were delayed to patch a series of bugs, including some disclosed this month by Polish researcher Michal Zelewski. Two others forwarded to Mozilla developers by Zelewski did not make it into the updates, however.
"Neither of those will make this release," said Daniel Veditz, of the Mozilla security. "It is important that we get the security fixes we have into the hands of our users."
Of the bugs filed by Zelewski but not fixed in the updates, the most serious is a memory corruption flaw that could let attackers inject code remotely into Firefox-equipped machines simply by duping users into visiting a malicious web page.
"Firefox is susceptible to a seemingly pretty nasty, and apparently easily exploitable, memory corruption vulnerability," wrote Zelewski in the Bugzilla database.
A third bug discovered by Zelewski, which could give cybercriminals a leg up when running phishing attacks, is also unrepaired in the latest browser versions.
Mozilla has spelled out the security fixes in Firefox 18.104.22.168 and 22.214.171.124.
Firefox 126.96.36.199 is nearly at the end of its supported lifespan. After 24 April, Mozilla will stop issuing security and stability updates to that edition.
Firefox 188.8.131.52 can be downloaded from the Mozilla website in versions for Windows, Mac OS X and Linux in 36 languages. Users can also update current editions with the Check for Updates command in the Help menu.