That's why Firefox 3.5.2 patched only one vulnerability, a bug in how the browser handles replies from a SOCKS5 proxy. Mozilla rated the threat as "low" since it found no evidence of memory corruption, necessary to let hackers inject their own malicious code into the machine.

The SOCKS5 bug had been , which Mozilla issued July 21. It's unclear whether Mozilla simply forgot to patch the bug in Firefox 3.5.1, a fast-track update on July 16 to stymie a zero-day flaw, or if news of the SOCKS5 vulnerability reached Mozilla between Firefox 3.5.1 and 3.0.12.

Mozilla has shuttered access to the SOCKS5 flaw on its Bugzilla bug- and change-tracking database, so it's impossible to tell when the bug was logged. But because the (Common Vulnerabilities and Exposures) assigned to the vulnerability was activated July 15, either explanation is plausible.

Mozilla did not respond to a request for clarification Monday evening about whether it missed the SOCKS5 bug.

According to Web metrics company Net Applications, Firefox accounted for 22.5% of all browsers used worldwide during July. About Firefox users are still running 3.x, not the newer 3.5.