Mozilla is delivering security updates fast and furious this month, the latest coming late last week when a new version of Firefox repaired three vulnerabilities related to the Location object. The Location object is supported by all major browsers and contains information about the URL being requested.
The vulnerabilities were closed in Firefox 16.0.2, Firefox ESR 10.0.10, Thunderbird 16.0.2, Thunderbird ESR 10.0.10 and SeaMonkey 2.13.2.
All of the vulnerabilities were rated critical. One could enable an attacker to use the valueOf method in combination with unnamed plug-ins to pull off a cross-site scripting attack. Another involved the CheckURL function in window.location that could also lead to a cross-site scripting attack. Mozilla warned this vulnerability could also enable an attacker to run code by exploiting an add-on that interacts with page content.
The final flaw addressed in this update would allow an outsider to bypass security wrapper protections on the Location object, allowing the cross-origin reading of the Location object, an alert from Mozilla said.
Mozilla has had a busy month. On Oct. 9, it released Firefox 16, but quickly pulled it back after a serious vulnerability was discovered. It was quickly addressed, but not before exploit code was made available. The browser was exposing URL information across Web domains, a vulnerability that could allow a malicious website to determine where a user had surfed and potentially could leak URL information and other data to an attacker.
While the vulnerability was being addressed, Mozilla introduced a new security feature to the browswer that by default blocks known vulnerable plug-ins from running. The feature, called Click to Play, covers only certain plug-ins, such as Adobe Flash, Adobe Reader and Microsoft Silverlight.