Firefox 3.6 gains anti-clickjacking support, Thunderbird & SeaMonkey updated
Firefox 3.6.9 now supports the X-FRAME-OPTIONS header, which enables web servers to forbid clients from opening downloaded pages in iframes. Clickjacking involves an attacker website inserting a transparent iframe containing, for example, Facebook content under the cursor. Users think they are clicking on the visible web page, but are in fact clicking on elements in the transparent Facebook iframe.
Earlier this year, hundreds of thousands of Facebook users fell victim to a clickjacking attack after unwittingly clicking on a concealed 'Like' button on a crafted web page. The new option would allow Facebook to prevent attackers from loading content in an iframe in Firefox. Despite the fact that Internet Explorer 8 and Chrome already support this option, Facebook is not using it.
Version 3.6.9 of Firefox also fixes more than 14 security vulnerabilities, of which the developers classify at least ten as critical. These include integer and heap overflows, orphaned pointers and, only for the Windows version of Firefox, the remote DLL loading vulnerability. The same vulnerabilities have also been fixed in the newly released Firefox 3.5.12 , Thunderbird 3.1.3, Thunderbird 3.0.7 and version 2.0.7 of the SeaMonkey "all-in-one internet application suite".
The updates are available to download for Windows, Mac OS X and Linux and all users are encouraged to upgrade as soon as possible. Alternatively, current Firefox, Thunderbird and SeaMonkey users can upgrade to the new version, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu.
- Mozilla Foundation Security Advisories, Firefox, Thunderbird and SeaMonkey security advisories.
- Firefox 3.6.9 and 3.5.12 security updates now available, a Mozilla Developer Center blog post.
- Thunderbird 3.1.3 and 3.0.7 security updates now available, a Mozilla Developer Center blog post.
- Mozilla releases Firefox 4 Beta 5, a report from The H.