Several security vulnerabilities in Firefox 16 are being addressed in an update of the browser software released by the Mozilla Foundation. This is the second time in the last two weeks that the browser has had to be updated to address security problems.
All the security issues are related to the “Location” object in the software. One of the flaws, when combined with some plug-ins, could be exploited to perform cross-site scripting attacks on users. Those attacks typically are used to infect Web applications at trusted websites and push malicious code to unsuspecting visitors of those sites.
Another vulnerability involves the CheckURL function in the browser’s code, which could be forced to return a wrong value. Mozilla said this could be exploited in a cross-site scripting attack, or be used to execute arbitrary code to a browser add-on that interacts with the content on a page.
A third defect addressed by the update allowed the security wrapper on the Location object to be bypassed by a hacker.
Mozilla also pushed out an update of its Thunderbird email client to address to fix similar flaws in that program. It explained in a blog on the update that the Location vulnerabilities addressed by the new release would have less impact on Thunderbird because it uses those functions only through RSS feeds and extensions that load Web content.
When Firefox 16 was released on October 9, it addressed vulnerabilities outlined in 14 security advisories, 11 of them “critical.” Within 24 hours of that release, Mozilla halted downloads of the software because of security concerns. To address those concerns, Mozilla released version 16.0.1 of its browser. That release plugged the hole that allowed malicious websites to read the browsing history of visitors to those sites.
New feature puts Facebook in Your Firefox
Mozilla is rolling out a beta version of its new Social API for Firefox. For this release the company worked with Facebook to create Facebook Messenger for Firefox – a Firefox sidebar that brings your Facebook updates with you wherever you go on the web.
If you’d like to test out Firefox’s new Social API features, head over to the beta channel downloads page and grab the latest release. Then point your browser to Facebook, which will prompt you to install the Facebook Messenger for Firefox.
If you don’t visit Facebook you’ll never know the new Social API exists.
That’s exactly as it should be, according to Mozilla’s Johnathan Nightingale, senior director of Firefox engineering. I spoke to Nightingale ahead of the Social API release and he stressed that the Social API is entirely opt-in by design.
“Our plan is not to push anyone into something they don’t want, but to make easier and better for those that already use it.”
The new Social API can be seen as an extension of the App Tabs Mozilla added to Firefox 4. The App Tabs feature recognizes that all tabs are not equal. Some tabs, like e-mail, document editors or news feeds are easier to use when they get a special spot in your browser. The Social API extends that idea even further, bringing social websites out of tabs completely and into a persistent sidebar that you can access without the need to switch tabs or log in.
“Social is not like other things that people do on the internet,” says Nightingale, “it runs as a current through everything they’re doing.” The Social API is designed to make it easier to stay in that current even while you’re visiting other sites. For example, Facebook Messenger for Firefox adds a sidebar that is visible even when you switch tabs. It’s easier to keep up with what’s happening because you see updates rolling in even when you’re browsing other sites. Since constant Facebook updates are annoying when you’re trying to get work done, there’s also a way to hide the sidebar until you want it again.
Facebook’s Social API implementation also adds a “like” button to the address bar, which means you can share a page with your friends on Facebook without leaving that page, which is great for sites that don’t offer their own social sharing buttons.
The Firefox Social API consists of a manifest file and few URLs, but the user interface, the features offered and all the other details are up to the social site itself. For now that’s just Facebook, but Nightingale says Mozilla will add more support for more providers, and eventually even for multiple social sites at once. The idea is to make it easy for any site to build on the Social API, much like the OpenSearch API did for custom search engines.
If you don’t use Facebook there’s nothing to see right now. However, after playing around with the new Facebook Messenger it’s not hard to imagine how other sites might do something similar. Twitter is an obvious example, but the Social API is not limited to just “social networks.” For example, GitHub could create a sidebar with, say, all your project updates and pull requests.
The privacy implications of giving social networks a cozier spot in your browser may make some people nervous, but Tom Lowenthal, of Mozilla’s Privacy and Public Policy team, assures users that nothing has changed regarding your data. “Once enabled, Firefox loads several pages from your social network over secure connections,” writes Lowenthal, “These pages are treated just as if you’d loaded them in another browser tab.”
That means Facebook can set cookies and collect data just like it would if you were logged into the site, but neither Facebook, nor any other social network that builds something with the Social API, will get any special treatment or additional data from Firefox. In other words, just because Facebook is persistent in the sidebar doesn’t mean it has access to any additional information from your browser.
If you’re always logged into Facebook anyway, the new Facebook Messenger for Firefox makes for a smoother, more compelling social network experience. It’s also easy to back out of should you end up disliking it. Those looking for something similar from another social network will just have to wait for those networks to build out their own Social API offerings.