Mozilla patches a security flaw introduced by Firefox 16

By on October 11, 2012, 4:30 PM

Folks who installed Firefox 16 on Tuesday may want to ensure that they've received an update released this afternoon (16.0.1) which addresses a security flaw. On Wednesday, Mozilla halted distribution of Firefox 16 after learning about a vulnerability that could allow a malicious site to determine which sites users have visited and access the URL or URL parameters. Although the hole was revealed publicly on a UK JavaScript blog, Mozilla says there's no indication that the bug is being exploited in the wild.

Speaking with Ars Technica, Aspect Security CEO Jeff Williams offered a more detailed explanation: "Looks like Firefox introduced a code change that allows a malicious webpage to run some JavaScript that can access the 'location' (the URL bar) of windows," he said. "So attackers can abuse this by using JavaScript to open other windows to protected websites. Then that JavaScript can access the URL and give it to the attacker. This should result in an 'Error: Permission denied' message, but FF16 allows it."

Mozilla released a fix for the latest version of Firefox across all platforms including Windows, Mac, Linux and Android. You can download this update manually, though you shouldn't have to do anything if you have automatic updates enabled. This particular issue doesn't affect users running an older version of the browser.

Firefox 16's new developer command line

Security blunder aside, Firefox 16 brings many improvements over August's build, including improved support for Mac OS X Lion, the introduction of incremental garbage collection, a greater implementation of HTML5 and CSS3, a developer command line, a Reader Mode for Android and more bug fixes than we care to count.




User Comments: 5

Got something to say? Post a comment
Darth Shiv Darth Shiv said:

Still waiting on TLS 1.2 support! Can't tell if it is there but presuming it isn't if it hasn't been mentioned.

Ray Greaves said:

Since the automatic update to version 16.0.2, Firefox will NOT save my home page. It will go to my selected home page as long as I stay logged in, but once I logout and return, it goes back to the default Firefox start page. I do NOT take jindly to automatic updates that result in inferior operation and if this is not remedied I shall abandon a long time use of Firefox and go to Chrome>

Nothing on the Firefox support site provides a remedy for this fault.

Darth Shiv Darth Shiv said:

Since the automatic update to version 16.0.2, Firefox will NOT save my home page. It will go to my selected home page as long as I stay logged in, but once I logout and return, it goes back to the default Firefox start page. I do NOT take jindly to automatic updates that result in inferior operation and if this is not remedied I shall abandon a long time use of Firefox and go to Chrome>

Nothing on the Firefox support site provides a remedy for this fault.

You do know Chrome does auto updates too?

Ray Greaves said:

Darth, Yes I do know. What I object to is an update that introduces errors, not updates themselves.

Darth Shiv Darth Shiv said:

Darth, Yes I do know. What I object to is an update that introduces errors, not updates themselves.

Any update can introduce errors. If you don't want updates, you can disable them. Same for any software - pity Firefox had a regression but that's a risk with a rapid release and auto-update system (which Chrome also has).

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.