But on Wednesday, Gareth Heyes, an independent security researcher, posted a proof of concept (PoC) which demonstrated that Firefox 16 was somewhat insecure with its Windows location variables, allowing an attacker to open a window pointing at some part of another site (in the PoC, twitter.com), wait for that site to redirect the window to a “logged in” page (a twitter.com profile page) and then retrieve the new location and any associated data (in the PoC, the user’s twitter handle). Accessing the location information should normally be prevented by the browser’s “Same Origin” policy.
According to Mozilla’s advisory though, a similar but separate critical flaw had been found in Firefox 16, Firefox ESR 10.0.8, SeaMonkey 2.13, Thunderbird 16 and Thunderbird ESR 10.0.8 and earlier, which not only disclosed the location object, but, in Firefox 15 and earlier, had the potential for arbitrary code execution. Firefox 16.0.1 closes both these holes. The presence of the flaw in Firefox 15 does, though, raise questions over the previous advice given by Mozilla to downgrade from 16 to 15.
But these were not the only holes fixed in 16.0.1; another security advisory says developers also identified two of the top crashing bugs in the browser engine and that these bugs showed signs of having corrupted memory. Mozilla concludes that it could be possible to exploit these holes to execute code. One of the bugs only affected FreeType on mobile devices and is therefore fixed in Firefox 16.0.1 for Android, while the other is a WebSockets bug in Firefox 16 only and is not present in Firefox ESR.
Firefox 16.0.1 is now being pushed out to the Firefox browser’s auto update system and is also available to download via auto-version-detected download or from the all systems and languages page. Firefox 16.0.1 for Android is available in the Google Play store. Thunderbird 16.0.1 is also available for download. Firefox ESR 10.0.9 and Thunderbird ESR 10.0.9 are currently being quality assured and are expected to be released soon. SeaMonkey 2.13.1 has yet to appear on the project’s releases page.