Firefox 3.0.13, the update to the older browser that Mozilla will drop off the support list in January 2010, includes two bugs, while Firefox 3.5.2 fixes a separate flaw.
The vulnerabilities patched by Firefox 3.0.13 were disclosed last Thursday by Dan Kaminsky of IOActive and a security consultant who calls himself Moxie Marlinspike, at Black Hat in Las Vegas.
Independently, Kaminsky, best known as the discoverer of the , and Marlinspike demonstrated how in browsers' implementation of SSL (Secure Socket Layer), the Web's default encryption protocol.
Attackers could hijack a Web session to steal critical passwords or trick Firefox users into accepting a bogus software update that contained malware.
Firefox 3.5 was already safe from such attacks, since Mozilla's developers had used a newer, more secure version of NSS (Network Security Services), a set of code "libraries" for baking SSL into browsers.