Mozilla discovered a critical flaw in the old version of Firefox which made it possible for hackers to hijack a user's session and inject arbitrary code into the browser. The vulnerability was discovered in Firefox's support for the Kerberos protocol, which is used to secure network services such as Apache and Lotus Notes.
CVE-2016-9412: Firefox does not properly handle redirects when Kerberos authentication is enabled.
When a user clicks on a link, Firefox sends their request to a remote host and sends the authentication details unencrypted. If the remote host is compromised, the request can be injected into the web page, resulting in session hijacking. The severity of this vulnerability is quite high since it is possible to inject code on a user's computer that can do anything from stealing data to installing a root certificate on the user's machine.
The good news is that this flaw is already patched by Mozilla in Firefox version 52.0.
The bad news is that users who are still using an old version of Firefox will likely not receive this upgrade until their browser has been uninstalled.
How to check if you are vulnerable?
If you are using an old version of Firefox, you can check if the vulnerability is present by following these steps:
1. Open the browser and click on "about Firefox" in the settings menu.
2. Under "About Firefox Version" select "previous versions".
3. If there are old versions listed and one of them is a release date before November 2016, then your browser is vulnerable to this bug.
How to Check if Your Browser is Vulnerable?
You can check your Firefox version to see if it is vulnerable. Here's how:
1) Open the address bar and type in "about: support" (without quotes)
2) Take note of the time-stamp on the bottom left corner of the browser window
3) Click on "Reload Now" and make sure that Firefox is displaying the current date and time
How to check if your version is vulnerable?
If your version is vulnerable, you can check the version number of your Firefox browser. If the number is above 52, then there's a chance that you're vulnerable to session hijacking.
To check whether or not your current version of Firefox is vulnerable, go to about:support and enter "about:version". If the result is 52.0 or higher, then it's safe to say that you're running a newer version than the one that has been patched by Mozilla.
If the result does not show 52.0 or higher, then it means that you are still using an old version of Firefox which is vulnerable to session hijacking. You should update as soon as possible!
Installing the Update
If you are still using an older version of Firefox, you will need to uninstall it and then install the update.
If you have not yet done so, please upgrade your browser.