Mozilla Fixes XSS Flaw in Firefox 16.0.2 Release
Mozilla has announced availability of Firefox version 220.127.116.11, an emergency update to address a serious flaw in the way the browser treats the LocationObject. According to the advisory, successful exploitation of this flaw can result in cross site scripting or code execution.
Firefox. Image courtesy of the Mozilla Foundation
The bug discovered by security researcher Mariusz Mlynski forced Mozilla developers to release the third emergency fix in a month since the introduction of version 16 of the popular browser.
“The true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users,” reads the security advisory.
A secondary issue affects the CheckURL function that could lead to cross-site scripting or local execution of code (i.e. malware). Although the advisory is primarily focused on the Firefox browser, it also affects two other Mozilla products: Thunderbird and SeaMonkey – a popular e-mail client and an all-in-one app that can be used for browsing, e-mailing, RSS reading and IRC communication, respectively.
Users running older versions of Firefox are advised to update immediately using the auto-update feature built into the browser.
As of September 2012, Firefox was the second most used browser in the world with 32.2% of the browser market, after Google’s highly-popular Chrome (44.1%).