Industry News

Mozilla Fixes XSS Flaw in Firefox 16.0.2 Release

Mozilla has announced availability of Firefox version, an emergency update to address a serious flaw in the way the browser treats the LocationObject. According to the advisory, successful exploitation of this flaw can result in cross site scripting or code execution.

Firefox. Image courtesy of the Mozilla Foundation

The bug discovered by security researcher Mariusz Mlynski forced Mozilla developers to release the third emergency fix in a month since the introduction of version 16 of the popular browser.

“The true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users,” reads the security advisory.

A secondary issue affects the CheckURL function that could lead to cross-site scripting or local execution of code (i.e. malware). Although the advisory is primarily focused on the Firefox browser, it also affects two other Mozilla products: Thunderbird and SeaMonkey – a popular e-mail client and an all-in-one app that can be used for browsing, e-mailing, RSS reading and IRC communication, respectively.

Users running older versions of Firefox are advised to update immediately using the auto-update feature built into the browser.

As of September 2012, Firefox was the second most used browser in the world with 32.2% of the browser market, after Google’s highly-popular Chrome (44.1%).

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.