Mozilla fixes security flaw in latest Firefox

Mozilla has released a fix for the latest version of its Firefox browser after withdrawing it the day before after identifying a security flaw

Mozilla has released a fix for the latest version of its Firefox browser a day after it was withdrawn due to a security flaw.

The non-profit organisation said the vulnerability in Firefox 16 could allow a malicious website to capture web history, enabling hackers to see what websites people had visited.

Mozilla announced in a blog post that an update for Firefox for Windows, Mac, Linux and Android has been released.

The updated Firefox 16.0.1 is available through automatic updates and new downloads through the Mozilla download site.

Version 16 was withdrawn within a day of release. Mozilla said a limited number of users had been affected, but there was no evidence the vulnerability had been exploited by hackers.

However, Tal Be'ery, web researcher at security firm Imperva, said a proof-of-concept exploit for the vulnerability exists.

The flaw in Firefox 16 meant the browser was leaking a URL's data across domains by not restricting javascript’s “location” method, he said.

In theory, a user would browse to a malicious exploit site, the attacker would open a new window in Twitter from the attacker site, anyone signed into Twitter would be redirected to a URL that contains a personal twitter ID, and this would enable the attacker to query the new window on the URL and obtain the victim’s personal Twitter ID.

On previous versions of Firefox, this attack would fail, but a regression in Firefox 16 allowed it to work.

Read more on Privacy and data protection