Cyber security

Mozilla fixes security flaw in latest Firefox

Warwick Ashford

Mozilla has released a fix for the latest version of its Firefox browser a day after it was withdrawn due to a security flaw.

The non-profit organisation said the vulnerability in Firefox 16 could allow a malicious website to capture web history, enabling hackers to see what websites people had visited.

Mozilla announced in a blog post that an update for Firefox for Windows, Mac, Linux and Android has been released.

The updated Firefox 16.0.1 is available through automatic updates and new downloads through the Mozilla download site.

Version 16 was withdrawn within a day of release. Mozilla said a limited number of users had been affected, but there was no evidence the vulnerability had been exploited by hackers.

However, Tal Be'ery, web researcher at security firm Imperva, said a proof-of-concept exploit for the vulnerability exists.

The flaw in Firefox 16 meant the browser was leaking a URL's data across domains by not restricting javascript’s “location” method, he said.

In theory, a user would browse to a malicious exploit site, the attacker would open a new window in Twitter from the attacker site, anyone signed into Twitter would be redirected to a URL that contains a personal twitter ID, and this would enable the attacker to query the new window on the URL and obtain the victim’s personal Twitter ID.

On previous versions of Firefox, this attack would fail, but a regression in Firefox 16 allowed it to work.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy