Several security vulnerabilities in Firefox 16 are being addressed in an update of the browser software released by the Mozilla Foundation. This is the second time in the last two weeks that the browser has had to be updated to address security problems.
All the security issues are related to the “Location” object in the software. One of the flaws, when combined with some plug-ins, could be exploited to perform cross-site scripting attacks on users. Those attacks typically are used to infect Web applications at trusted websites and push malicious code to unsuspecting visitors of those sites.
Another vulnerability involves the CheckURL function in the browser’s code, which could be forced to return a wrong value. Mozilla said this could be exploited in a cross-site scripting attack, or be used to execute arbitrary code to a browser add-on that interacts with the content on a page.
A third defect addressed by the update allowed the security wrapper on the Location object to be bypassed by a hacker.
Mozilla also pushed out an update of its Thunderbird email client to address to fix similar flaws in that program. It explained in a blog on the update that the Location vulnerabilities addressed by the new release would have less impact on Thunderbird because it uses those functions only through RSS feeds and extensions that load Web content.
When Firefox 16 was released on October 9, it addressed vulnerabilities outlined in 14 security advisories, 11 of them “critical.” Within 24 hours of that release, Mozilla halted downloads of the software because of security concerns. To address those concerns, Mozilla released version 16.0.1 of its browser. That release plugged the hole that allowed malicious websites to read the browsing history of visitors to those sites.
John Mello writes on technology and cyber security for a number of online publications and is former managing editor of the Boston Business Journal and Boston Phoenix. Disclosure: He also writes for Hewlett-Packad's marketing website TechBeacon.