Mozilla Firefox 16.0.2 Locks Down on Location Security
From the 'Location, Location, Location' Files:
In the most basic sense, programming code allocates specific locations in a program (or memory) that can be used for specific tasks. When code (malicious or otherwise) escapes those locations, trouble isn't usually far behind.
The new Firefox 16.0.2 update is really all about the problem of location, fixing a trio of critical flaws.
CVE-2012-4194 is titled, 'Location can be spoofed using |valueOf| and it's basically an XSS attack vector.
CVE-2012-4195 is titled nsLocation::CheckURL can use the wrong principal and allows for cross origin reading of the Location object.
The third location flaw is actually an omnibus grouping of location issues that Mozilla has simply titled, ' More cross origin location access problems'. The Bugzilla entry page for the 'more' problems is not publicly accessible so it's not clear what the specific issues are.
I can't remember the last time I saw such a grouping of location related issues in Firefox. It will be interesting to see if this was just a coincidental one-off grouping of flaws or if this is actually indicative of deeper root cause set of issues that will be exposed in the months ahead.