Security Vulnerability in Firefox 16

mcoates

155

Update (Oct 11, 2012)
  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Issue:
Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.

 

Impact:
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.

 

Status:
Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.  As a precaution, users can downgrade to version 15.0.1 by following these instructions [http://www.mozilla.org/firefox/new/].  Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.

 

Michael Coates
Director of Security Assurance

155 responses

  1. Shailesh wrote on ::

    Rapid Release gets new features into the hands of end-users faster, and is a necessity to compete with Google. We don’t want to go back to the old days of waiting 6-12 months for a new release, where lots of new features that were ready sooner would have to wait months for the release to see the light of day. Yes, occasionally, some nasty bugs will make it into the release, but that doesn’t seem to be much different from the way it was before. Mozilla needs to think about re-architecting the process security of Firefox the way Google Chrome has done, and then paying bounties for bugs, otherwise, Chrome is just going to pull away over time.

    1. The oldie wrote on :

      But they should perhaps be better tested. This release 16 and 16.0.1 has flickering menues running under Wn7 64 bit. I went back to 15… which is ok in this respect, but forgot to turn off auto updates…
      I have seen that this has been a problem for others also in eralier releases.

  2. Bryan Price wrote on :

    Sorry about the spam, but can I leave a message without the captcha security code?

    1. Jesse Ruderman wrote on ::

      Apparently you can! I filed https://bugzilla.mozilla.org/show_bug.cgi?id=801313 on the missing captcha.

  3. msth67 wrote on :

    Such information should be publicized more rapidly and more evidently by Mozilla,I too would say than learning it from other web sources and than having to dig around for further enlightenment doesn’t look too good:what about also using Mozillazine to notify such unforeseen issues,and furthermore why not publicize the link to the bug,since at this point probably the folks who shouldn’t know in fact know already?

    1. pieroxy wrote on :

      Well, maybe it is just not a big deal since there is no exploit. One can think that an exploit is highly unlikely on a browser released 3 hours ago. And a patch that quickly makes it much more unlikely that an exploit will ever see the light of day.

  4. Seen wrote on :

    Really? so I get the popup to update, I update my firefox now I’m reading this and its telling me to downgrade

    1. mcoates wrote on :

      As of 12pm PT on Oct 11 the patched version (16.0.1) was distributed to all users. If you’ve upgraded since that time you will be on the patched version.

      More information on checking your version number and updating can be found here:
      http://www.mozilla.org/firefox/update/

  5. A pissed off user. wrote on :

    This release of information was handled very poorly.

    Next time something like this happens, you should post something on your main page indicating the problems. Be upfront. Do not hide it! That is how you lose TRUST!

    I updated to 16.0 when it was released. Went to do a few more machines the next morning and the update was gone, but I could find NO explanation why. Unacceptable.

    Should the type of handling in this situation present itself again, FF will be removed from all of my personal machines as well as from our Corporate network and I would be forced to recommend anyone I know that uses the internet, against using this product.

    1. Dave wrote on :

      you should also demand your a refund

      1. John Meloche wrote on ::

        lol @ Dave. I agree! The fact he posted “pissed off customer” lol… customers pay money. I say, enjoy the fact you get such an incredible software free. Everyone faces problems. The fact that communication could be improved for the next time something happens doesn’t warrant being jerk in forum.

    2. Slightly Sarcastic wrote on :

      Pull your head out and take a deep breath of fresh air.
      Mozilla does not need to explain why they pulled the update, just be glad they did.
      You don’t want to post something like that on your “Front Page” because then you get people working hard to exploit it. That whole “TRUST” thing? Yea, Mozilla pulled the updates, worked on a patch, released a patch a day later. TRUST that they are indeed working hard to keep your browsing sessions as safe as they can.

      Threatening to “pull Mozilla from your personal and corporate machines” is about as whiny as you can get. You want Mozilla to pay you, too ? Put your money on a silver platter and butler it to your front door. ” Here you go sir, we are sorry for the screw up, won’t happen again.”
      Get real, bozo.

      The nerve of some people.

    3. gs wrote on :

      You get what you pay for.

      1. gharlane wrote on :

        atm I’m hard pressed to come up with the name of a browser you do have to pay for….. so your comment and attitude fall a bit flat.

    4. ffuser wrote on :

      @A pissed off user:
      When it comes to a mission critical or corporate networked computers:
      1. Never setup auto-update for any application or download / install updates
      2. Never install a newly released application or update the same day unless you are aware of the bug-fix etc. and have a good backup for a quick roll-back.
      3. Read release notes, new features, known issues etc. before applying the update
      4. Download the update and install it form a local source so all your versions are consistent and you have a backup copy of the update

      “Should the type of handling in this situation present itself again, FF will be removed from all of my personal machines as well as from our Corporate network ” – This happens with other applications as well… whats your solution? remove them and switch to another app?

  6. Aron wrote on :

    Since I’m absolutely in love with FF, I figured I might give the automatic update idea a go. Thankfully this incident came as a wake-up call, so while I’m not giving up on the good cause, I switched off automatic updates for good and started to make the effort to finally fine-tune my Opera as a backup – so yeah, good faith has been slightly shaken, I’ll be more careful before accepting any .0 version for sure. Good job churning out the fix quickly though, it restored some trust. Keep up the good work!

    1. Daniel Veditz wrote on :

      And what happens when you forget to check for updates manually every day? You’ll go days or weeks on an old version rather than the one day in this case. Not sure you’ve learned the right lesson from this incident.

  7. Ben Reaves wrote on :

    I learned about it from Marketplace Tech Report this morning and within half a day I see the update. I think this is pretty *good* response compared to other software vendors. Makes me want to stay, not switch

  8. zbravo wrote on :

    I really don’t know why do we have only major releases. Since what, version 4? I can only get major version number releases.

    I don’t think that would be the most correct approach. We should be at around version 6, probably with the change of looks to the “like-office” menu.

  9. mr peabody wrote on :

    How many of my current programs will no longer be supported? This seems to happen every time I allow one of these updates to install. Very frustrating.

  10. Jim wrote on :

    For a major web browser, the frequency of version releases is a bit over the top. How about dramatically lowering the frequency of releases, and getting things right? Besides, who wants to update every week?

    1. Jim Russell wrote on :

      I do.

  11. Scott wrote on :

    “As a precaution, users can downgrade to version 15.0.1 by following these instructions [http://www.mozilla.org/firefox/new/]. ”

    Of course, when you go to that link, there are no instructions, but rather a link download the faulty 16.0.1. Smooth move.

  12. Another Pissed Off User wrote on :

    Who is that mastermind chief programmer of firefox?

  13. Another Pissed Off User wrote on :

    Who is that firefox mastermind chief programmer?
    Hand out Email Adress and Telefone Number!

  14. Bart Benus wrote on :

    So Mozilla developers are less than perfect. This is shocking news indeed: I was told they were Super Humans from outer space, that never make a single mistake, not ever! Thanks, you people at Mozilla, for all your honesty and excellent work: I will not even consider using anything else.

  15. john o neill wrote on :

    hi,
    when i right click on a webpage to send a link it is no letting me do this any suggestions or comments please?

    1. Jesse Ruderman wrote on ::

      You can send a link to the page from the File menu (or Firefox menu on Windows). See https://bugzilla.mozilla.org/show_bug.cgi?id=786185 and https://bugzilla.mozilla.org/show_bug.cgi?id=239307

  16. Security Code is blank, no image wrote on :

    Security Code is blank, no image

  17. Security Code is still blank, still no image wrote on :

    Security Code is still blank, still no image

  18. Firefox Fanatic wrote on :

    Firefox is so cool! Go Vixens!

  19. Cylon wrote on :

    Hi
    from one night to the next morning, my Firefox 16.0.1. has stopped working. Other browsers do work,but not firefox. I made no changes in my firewall, nothing.
    I have uninstalled Firefox and reinstalled it again, but doesn’t work

    Can anyone gie me any solution?, Thanks

  20. Markus wrote on :

    How can I downgrade to Thunderbirg version 15?

  21. josh wrote on :

    why is the 16.0 version still supplied for Andoid?
    The 16.0.1 version is already days available. Please supply it to the Google Play Store.
    Now every day I get a reminder to upgrade my 15 version to 16.0, the one with security bug that I don’t want.
    Please withdraw the buggy version or supply the patched one.

    1. mcoates wrote on :

      The android version was patched and released at 9pm PT on Oct 10. You’ll see that it is version 16.0.1

      https://play.google.com/store/apps/details?id=org.mozilla.firefox

  22. Jonau wrote on :

    Firefox used to be a great product and secured ( relatively ).
    Today Firefox is worst than Microsoft product.
    I will definitely switch to another web browser.
    Every good thing has an end and this is an end of Fire Fox.

    1. pieroxy wrote on :

      Just out of curiosity, what exactly do you find worse in Firefox than in Microsoft?

      To me, if anything, this little thing proved that Mozilla is *super fast* in releasing patches for security vulnerabilities. Much more so than Microsoft is.

      1. TubeLugs wrote on :

        Umm, “super fast” as in “security patches break other things because they are insufficiently tested”?

  23. Mase wrote on :

    I was unlucky enough to have downloaded the update while making an online purchase. Now I am certain my CC has been compromised. Have been tracking certain items on my wish list suddenly they were available for unbelievable prices. It was only AFTER “purchasing” these items that I realized that the browser may have been compromised. So now I am with Aron, I have permanently turned off auto updates and I may never use FF the same way again. Will still use it to browse, but never for anything serious. Thought this kind of thing only was supposed to happen to IE users.

    1. Daniel Veditz wrote on :

      Mase: any troubles you’re having are nothing to do with the security flaw described here.

      1. while you can download updates while browsing, you have to restart Firefox to apply the update. There’s no way anything could change in the middle of a purchase.
      2. the flaw described in this article only leaked the address (http://etc) of the page you were visiting. Your CC number is never in the URL, you enter it into a form and post back to the server.

      Were you “tracking” the items using a wish-list feature of the on-line store? The store obviously knows that information and may be trying to entice you. Were you “tracking” them by repeatedly visiting them on a store site? The store knows that, too (unless you use private browsing and don’t log into your store account), and could be trying to entice you. Nothing to do with this flaw.

      Do you visit http://www.mozilla.org/plugincheck regularly to make sure your 3rd party plugins are up to date? If not, and especially if you have Java installed, then you may well be compromised — but not through Firefox itself. See the next article in this blog, “Click-to-Play Plugins, Blocklist-Style”, for our plans for dealing with that issue.

      1. Mase wrote on :

        Impact:
        The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.

        This is exactly what happened to me. I’ve made dozens of purchases from this very reputable site for years with absolutely zero problems. Then on 10/12, a few items suddenly dropped in price. Not once, not twice but on at least a DOZEN different unrelated items. All from the exact same seller whom I had never previously heard of in my 7-10 years of making purchases. At the time, I could not believe that all these items had suddenly become available and VERY affordable. It seemed almost too good to be true. Thinking it was safe to try I purchased one of the items. Afterward, I noticed my FF browser was acting a little wonky. I logged out of the site and closed the browser like I always do. Still feeling a little suspicious, I ran all my protection software (anti-virus, spyware, anti-trojan, rootkit, etc all in safe mode then again in regular mode). Everything ran with zero detections so I relaxed a bit. It was only after trying to open FF later that I got alerts from my firewall that FIREFOX browser was trying to access something in connection with explorer.exe. Now I am pretty certain after reading the IMPACT provided here that the sites URL may have been accessed since I visit the site and search for items almost every day (but don’t log on). It has all the feelings of a phishing site. But I am no expert. I only know it’s not feeling right. So after running all that software again (for safe keeping), I decided to go back to a previous date before the update. Which brings me to this page. End of story.

        1. Daniel Veditz wrote on :

          “Now I am pretty certain after reading the IMPACT provided here that the sites URL may have been accessed”

          That’s not how this flaw works. A malicious site can only read the URL you browse in a frame inside that site (which could visually be the whole tab, but the URL at the top would remain the attacking domain) or if the malicious site opens a new window or tab and you then browse in that. It cannot read arbitrary URLs out of your history or from windows unrelated to the malicious site.

          “I got alerts from my firewall that FIREFOX browser was trying to access something in connection with explorer.exe”

          This flaw most definitely can’t do THAT.

          You may have ad-ware installed that’s either too new to be detected or skirts the legitimacy line enough (“informed consent” in the form of a buried opt-out checkbox in an install) that they’re afraid to call it malware because they could get sued.

      2. Mase wrote on :

        btw, you certainly can update the browser in the middle of a purchase. All you have to do is HELP tab and select ABOUT FIREFOX in the drop down menu. Once you do this FF will search for, download and then INSTALL the update all without closing the window. Then you will have to restart FF for the update to take place.

        1. hillbilleter wrote on :

          Mase, what you have done is NOT to update in the middle of a purchase, by your own description. Your own statement, “Then you will have to restart FF for the update to take place” proves that all you have done is a simple download, not an installation. And the website that is worrying you may have improved its cookie placement procedures and put cookies in your browser to follow your habits. That’s what they do. Amazon comes to mind. After that, when you browse anywhere that allows those cookies to “talk” with a site that allows ads, the ads are trying to sell you things you’ve shown an interest in before. If you want to get ride of your cookies to test it, that may set your mind at ease.

  24. Rafael wrote on :

    como voltar se o programa faz a atualização automatica, vcs deveriam ver esses erros antes de mandar o upgrad do navegador

  25. Raj wrote on :

    Kaspersky Internet Security 2013’s Safe Money feature doesnt work on Firefox 16.0.1
    Now im not starting a debate on how good or bad Kaspersky is, but point is its a popular anti-virus app and the fact that it doesnt work with the new Firefox makes people jittery. My organisation uses Kaspersky on all the machines and since the amount of online transaction wen do is large, we are forced to use Internet Explorer and i hate it…. so who looks into this??

  26. João Dantas wrote on ::

    I couldn’t login to this bank site since the Firefox 14.0 because of non compatibility with the security plugin. With the 16.01 version things went worse, and now Firefox crashes before it can open this page (Banco do Brasil).

  27. Matthew Atkinson wrote on :

    When you issue these releases, please give times that everyone can understand.

    ’12pm PT on Oct 11′ requires me to go and look up what ‘PT’ means. Wikipedia’s entry for PT has loads of entries, but none of them are for a timezone.

    Can you either give the time in UTC, which everyone knows how they relate to, or at the very least explain what the offset between PT and UTC is?

    1. David wrote on :

      http://en.wikipedia.org/wiki/Pacific_Time_Zone

  28. puru singh wrote on :

    Been in love with Firefox for a long time. Love everything ’bout it, specially its smooth scrolling prowess. Then this had to happen but fortunately upgraded as soon as the upgrade was available so its like ok. Only grudge is the Kaspersky compatibility issue. Tryin’ out v17.0.1 and Aurora at the moment.

  29. Aunty wrote on :

    I’m working on a second hand laptop and I’m not sure how much clear memory it has so I don’t want a stream of updates to clog it up. When I was offered the original version I read the small print and they made it clear it had little bugs so I opted not to update. The old one that everyone went back to was still working fine. If you do take the offer to be the first to try something you have to be prepared to encounter little glitches. You can report these bugs but you can’t really complain – especially if it’s free.

  30. Mystery Man wrote on :

    so much gaga on just one software? Give me a break!

  31. Don wrote on :

    I keep getting asked to upgrade immediately. I usually do, but for some reason, this time, read these comments first. Glad I did.

    You said “Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.”

    I’m waiting…

    I’m on 15.0.1 and have not updated. Things appear to work fine. Reading the comments, 16.0.1 sounds faulty. When you have these new “patches” ready, can you clearly say that they fix whatever problems are in 16.0.1 and are ok to allow an update on 15.0.1?

    I’m not a tech guy, just a user that wants to continue with FireFox.

  32. Rod F wrote on ::

    I have installed V16.0.1 several times and on all occasions the following website has hijacked the browser. I have been following the process since last week when the vulnerability of V16.0.0 was identified and when I had first installed it on my new laptop. I tried V15 as well but that didn’t change anything. Today, I felt secure that it was now safe to try it again with the same result. Changing my homepage does not solve the problem either. I had also taken it to a computer repair shop to have it cleaned before re-installing it today. What do I do?

    http://www.ggle.org.uk/index.php?hp=1&OVKWID=ff3

  33. Dave Steckel wrote on :

    16.01 Thunderbird doesn’t auto remove junk. When you try to check move junk mail to folder, the ok doesn’t work. So you have to manually recheck each junk mail and click not junk then click junk to get rid of it. And 16.01 doesn’t put the junk in the junk folder. If it isn’t fixed soon, do we have to reinstall the last working 15.? load?

  34. Robert Kann wrote on :

    I downloaded a Firefox upgrade and Babylon took over my firefox browser and I couldn’t get rid of it. I had to pay $130.00 to have someone take off of my computer. How can I guarantee if I go back to firefox that I will be safe without this happening again.

    Robert

More comments: 1 2