Mozilla is currently in the process of rolling out an update for the stable version of Firefox that is brining the web browser to version 16.0.2 This is in fact the second update in this release period, the first was released shortly after Firefox 16.0 was pulled by Mozilla due to security issues found in the version.
Firefox 16.0.2 fixes critical security vulnerabilities in Firefox's location object. Affected are Firefox stable releases, Firefox Extended Support Releases, Thunderbird stable and ESR, and SeaMonkey. Mozilla notes that the desktop email client Thunderbird is only affected by location issues through RSS feeds or extensions that load web contents. It is however still recommended to upgrade the email client to fix the issues at hand.
Below is a list of issues fixed in the new release:
window.locationcould be shadowed by user content through the use of the
valueOfmethod, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.
window.locationcan be forced to return the wrong calling document and principal, allowing a cross-site scripting (XSS) attack. There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content.
Locationobject, allowing the cross-origin reading of the
Firefox 16.0.2 is already available via automatic update. If your browser has not picked up the new version yet do the following to check for the update manually:
The browser checks for the update manually and will download and install it afterwards. To manually check for updates in Thunderbird, select Help > About Thunderbird when the email program is open.
You can alternatively download the latest version of Firefox or Thunderbird from Mozilla.
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.