Mozilla fixes security flaw in latest Firefox

Cyber security

Mozilla fixes security flaw in latest Firefox

Warwick Ashford

Mozilla has released a fix for the latest version of its Firefox browser a day after it was withdrawn due to a security flaw.

The non-profit organisation said the vulnerability in Firefox 16 could allow a malicious website to capture web history, enabling hackers to see what websites people had visited.

Mozilla announced in a blog post that an update for Firefox for Windows, Mac, Linux and Android has been released.

The updated Firefox 16.0.1 is available through automatic updates and new downloads through the Mozilla download site.

Version 16 was withdrawn within a day of release. Mozilla said a limited number of users had been affected, but there was no evidence the vulnerability had been exploited by hackers.

However, Tal Be'ery, web researcher at security firm Imperva, said a proof-of-concept exploit for the vulnerability exists.

The flaw in Firefox 16 meant the browser was leaking a URL's data across domains by not restricting javascript’s “location” method, he said.

In theory, a user would browse to a malicious exploit site, the attacker would open a new window in Twitter from the attacker site, anyone signed into Twitter would be redirected to a URL that contains a personal twitter ID, and this would enable the attacker to query the new window on the URL and obtain the victim’s personal Twitter ID.

On previous versions of Firefox, this attack would fail, but a regression in Firefox 16 allowed it to work.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy