Firefox, Thunderbird Security Holes Fixed

Wednesday, October 31, 2012 @ 08:10 AM gHale

Mozilla released a Firefox 16.0.2 update for its browser to close critical security holes.

The flaws center on the location object and the three problems, assigned CVE-2012-4194, CVE-2012-4195 and CVE-2012-4196, ended up fixed in the updates. The flaws also affect Thunderbird 16 to a more limited extent so a Thunderbird 16.0.2 update also released.

Firefox Beta Blocks Vulnerable Plugins
Firefox Re-release Fixes Holes
Firefox 16 Vulnerability
Mitigation, Update for PLC Hole

Enterprise ESR versions of the browser and email client also suffer from the problem; a 10.0.10 update for Firefox ESR and Thunderbird ESR also been released along with a 2.13.2 update of SeaMonkey.

Researcher Mariusz Mlynski discovered the true value of window.location could end up shadowed which could enable a cross site scripting (XSS) attack in conjunction with some plugins.

Mozilla security researcher moz_bug_r_a4 found using CheckURL on window.location could force a return to the wrong calling document, also enabling an XSS attack; there was also a possibility of arbitrary code execution via any add-on that interacted with page content.

In addition, Antoine Delignat-Lavaud of the PROSECCO research team at INRIA found it was possible to inject properties into the Location object, exposing it to cross-origin reading. Further details of the bugs were not immediately available.

Updates are available through Firefox and Thunderbird’s standard update mechanism and should deliver automatically to users.

To force an update, select the About window for the particular application which will then trigger a check and download of any pending update.

Leave a Reply

You must be logged in to post a comment.