Firefox 16.0.2, Thunderbird 16.0.2 released
Mozilla is currently in the process of rolling out an update for the stable version of Firefox that is brining the web browser to version 16.0.2 This is in fact the second update in this release period, the first was released shortly after Firefox 16.0 was pulled by Mozilla due to security issues found in the version.
Firefox 16.0.2 fixes critical security vulnerabilities in Firefox's location object. Affected are Firefox stable releases, Firefox Extended Support Releases, Thunderbird stable and ESR, and SeaMonkey. Mozilla notes that the desktop email client Thunderbird is only affected by location issues through RSS feeds or extensions that load web contents. It is however still recommended to upgrade the email client to fix the issues at hand.
Below is a list of issues fixed in the new release:
- Security researcher Mariusz Mlynski reported that the true value of
window.locationcould be shadowed by user content through the use of the
valueOfmethod, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.
- Mozilla security researcher moz_bug_r_a4 discovered that the
window.locationcan be forced to return the wrong calling document and principal, allowing a cross-site scripting (XSS) attack. There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content.
- Security researcher Antoine Delignat-Lavaud of the PROSECCO research team at INRIA Paris reported the ability to use property injection by prototype to bypass security wrapper protections on the
Locationobject, allowing the cross-origin reading of the
Firefox 16.0.2 is already available via automatic update. If your browser has not picked up the new version yet do the following to check for the update manually:
- Click on the Firefox button
- Select Help > About Firefox from the menu that opens up
The browser checks for the update manually and will download and install it afterwards. To manually check for updates in Thunderbird, select Help > About Thunderbird when the email program is open.
You can alternatively download the latest version of Firefox or Thunderbird from Mozilla.Advertisement