Mozilla has plugged two critical security holes in versions 2 and 3 of Firefox.

Version 2.0.0.16 fixes a code injection risk involving vulnerabilities in its CSS reference counter, and a flaw in handling command-line URLs that means multiple tabs can be launched when Firefox is not running. The first flaw also affects the Thunderbird email clients when JavaScript is enabled for email reading. Such a set-up is generally a bad idea.

Mozilla has also released a stability and security upgrade for the latest version of its browser. Firefox 3.0.1 includes fixes for the same two bugs that affect the earlier version of the browser, as well as a fix for a bug specific to version 3 which means malformed GIF files pose a code injection risk to Mac OS X systems running the latest version of the browser.

Firefox 3.0.1 - the first upgrade to the latest version of Mozilla's flagship browser software - came out on Wednesday, a day after the version 2 update. Support for version 2 ends in mid-December. ®

Related stories

• Firefox update fixes four critical flaws (13 November 2008)
• Chrome sweeps carpet-bombing bug under the rug (22 October 2008)
• Firefox update fixes critical bug brace (24 September 2008)
• Carpetbomb bug tarnishes Google Chrome (3 September 2008)
• Mozilla dishes up teasers for concept browser (7 August 2008)
• Mac users urged to ditch Safari (5 August 2008)
• Thunderbird patches are go (25 July 2008)
• Mozilla insists Firefox 3.1 won't hit bum note for developers (14 July 2008)
• Mozilla develops browser security metrics (8 July 2008)
• Opera update fixes stability bugs (4 July 2008)
• Microsoft touts trustworthy browsing with IE8 (3 July 2008)
• Firefox 3 makes up world record to set world record (3 July 2008)
• Built-in browser expiry proposed to fight botnet menace (3 July 2008)
• Web browsers face crisis of security confidence (23 June 2008)
• Threat remains despite Safari carpet bombing fix (23 June 2008)
• Bugs casts shadow over Firefox 3 (19 June 2008)