Firefox 2.0.0.2 and Firefox 1.5.0.10, which originally were to release on Wednesday, were delayed to patch a series of bugs, including some disclosed this month by Polish researcher . Two others forwarded to Mozilla developers by Zelewski, however, didn't make it into Friday's updates.

"Neither of those will make this release," said Daniel Veditz, of the Mozilla security in an e-mail. "It is important that we get the security fixes we have into the hands of our users."

Of the bugs filed by Zelewski but not fixed in the updates, the most serious is a memory corruption flaw that could let attackers inject code remotely into Firefox-equipped machines simply by duping users into visiting a malicious Web page. "Firefox is susceptible to a seemingly pretty nasty, and apparently easily exploitable, memory corruption vulnerability," wrote Zelewski in the .

Security vendor Symantec Corp. agreed. "Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. This could facilitate the remote compromise of affected computers," it reported in an alert sent to subscribers to its DeepSight threat system. , the federally funded vulnerability monitoring center, also issued a warning Friday, and recommended that Firefox users disable JavaScript.

Also unrepaired in the latest browser versions is a third Zelewski-discovered bug that could give cybercriminals a leg up when running phishing attacks.