Mozilla Security Blog
Categories: Press

Security Vulnerability in Firefox 16

mozilla

155 responses

Update (Oct 11, 2012)
  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Issue:
Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.

 

Impact:
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.

 

Status:
Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.  As a precaution, users can downgrade to version 15.0.1 by following these instructions [http://www.mozilla.org/firefox/new/].  Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.

 

Michael Coates
Director of Security Assurance

155 comments on “Security Vulnerability in Firefox 16”

  1. Laura Brouillette wrote on

    I just downloaded 16, should I put back the 15…have Windows7!!

    1. mcoates wrote on

      There is no need to revert to version 15. Version 16.0.1 contains the fix to this issue.

      More information on checking your version number and updating can be found here:
      http://www.mozilla.org/firefox/update/

  2. ffover9000 wrote on

    HowToFix: download Google Chrome. /rofl

    1. Pseudonymous Neuron wrote on

      Oh, because of course Chrome has far fewer vulnerabilities than Firefox ¬_¬

    2. Ajnasz wrote on

      You know, there is only one issue with Chrome, but that’s a blocker one: it’s not Firefox.

    3. Scorpion3003 wrote on

      I don’t know what so funny, chrome just released another update after releasing one on Monday. Nice try on the trolling.

      1. mad.madrasi wrote on

        I think you’re talking about Chrome 22.xxx.92 to 22.xxx.94. That is most likely because of update to Adobe Flash player. Chrome has frequent updates because of the onboard flash player and pdf (foxit) viewer. Now that Firefox also has pdf viewer, I guess we will see more such releases.

    4. silly puppy wrote on

      Thank you for posting this. It has deepened the conversation and added insight I wouldn’t have picked up on my own.

    5. saeed wrote on

      google chrome stills are your information including private and public ones and it does that without letting you notice that..firefox is the best!

    6. Wesley wrote on

      I say “no thanks” to google big brother browser. Remember with google, your data is the product up for sale and in many cases, for free.

      1. Audrey wrote on

        They don’t sell it, like facebook, they allow there database to be used and they target you. The “what you call buyers of personal info” don’t actually see that info at all. They enter parameters and from that users are targeted while browsing by the users likes and dislikes. Google, and facebook target you and not the companies. They don’t receive a list unless they hack the system and steal it.

      2. Naivity wrote on

        Oh Wesley, dearest Wesley, are you not aware how Firefox even stays afloat?

        http://en.wikipedia.org/wiki/Mozilla_Foundation#Financing

        For Google, they need Firefox for market share, at the moment. Eventually Firefox within 3-5 years will lose its share and Google will eventually toss Firefox to the curb.

  3. Matt A. Tobin wrote on

    another “success” of Mozilla’s RapidRelease program.

    I am very disappointed that Firefox builds that turn releases are not properly tested and have unprecedented stability, security, and reliablity issues ever since the beginning of this so called RapidRelease program.

    The main issue is RapidRelease != Rapid Development. The actual development of the browser’s code base has not accelerated and with constant reversion and pulling of new code from the various build channels filtering down to the Release channel we are not getting nearly the compelling and stable firefox that made it the product we came to use and care about.

    With features and code being backed out you are left with mixing of new and old code which presents unpredictable results in the so called “Final” product which has affected stability and reliability in the browser since Firefox 5 began the trend.

    Obviously this was a marketing decision made with no regard for code stability or testing. It is and has harmed firefox so much more than the apparent slowness of the previous release cycle ever did.

    Why chrome is more successful than ever is that they actually develop very fast and thus their releases are faster but as it stands today nothing is faster about Firefox except how the constant major version number increases.

    If Mozilla is not up to the task of providing an end to end experience with a fast cycle of releases it should return to the tried and true method of releasing updated versions when they actually reach a specific standard for code and functionality. This is how Firefox became popular and at one time one of the most used browsers aside from Internet Explorer which was only used “because it was there”.

    For the time being I am currently using a stable and functionally complete fork of the Firefox codebase known as Pale Moon. It does not conform to the ideals of releasing regardless of stability or completeness until such time either the actual development of firefox increases to match it’s rapid release model or they return to a more sane release cycle that is in line with the speed of actual development.

    Peace,

    Matt A. Tobin
    Commanding Officer
    Binary Outcast

    1. Gian-Carlo Pascutto wrote on

      >another “success” of Mozilla’s RapidRelease program.

      The issue is completely unrelated to the Rapid Release process. It was not detected in 18 weeks of testing, and discovered because only the actual release gets far wider exposure than any testing release. A longer release process would just have meant it would have taken even longer for the issue to be discovered, and longer to fix.

      Because of the Rapid Release process, a security fix will be available less than a day after the issue was first discovered, and before exploits are in the wild.

      >For the time being I am currently using a stable and functionally complete fork of the Firefox
      >codebase known as Pale Moon.

      Which is slower to deploy security fixes, so this is a truly horrible argument to make. If you object to the rapid release, there are the Firefox ESR releases, which do not get any new features but still get security fixes at the same, faster pace.

      1. dav2 wrote on

        I’m still running 3.6.28 because of noncompatible add-ons. Anything I can do about security issues? (Also 3.6.28 is the last one that runs on Apple Tiger O/S, if I am not mistaken.)
        I use add-ons – NoScript RequestPolicy, WOT, etc.

      2. Powerlord wrote on

        There’s one major issue with Rapid Release that should be made obvious from what you said:
        A product with a 6-week release cycle has an 18-week test cycle. Meaning that you’re testing version 18 (or 19) now with 16 having just been released. Meaning that any bugs that do crop up that you miss that AREN’T serious won’t be fixed for several versions down the line.

    2. A wrote on

      +1

      The rapid release cycle is an extremely shoddy idea, and should be stopped.

      > Because of the Rapid Release process, a security fix will be available less than a day after the issue was first discovered, and before exploits are in the wild.

      These security fixes are supposed to released as incremental updates, not a whole new I-want-a-higher-number-waaah update.

  4. Westly wrote on

    I am glad that the people of Mozilla is working hard to solve this ‘bug’. Keep up the good work!!!

  5. Zupfis wrote on

    The rapid releases would be fine with me, if Firefox would ask before updating and include a list things that will be broken after the release.

    Given that with every single update since 5.0, at least one extension was broken, it is very annoying. Especially because it happens at random times without anykind of prior warning.

    1. Tom wrote on

      I do not understand that, I’m using 10 extensions and since version 4 I never had problems with any extension after an update.

    2. ken wrote on

      G’day,
      Have you noticed the option under the menu Options, Options, Advanced, Update, Firefox updates? Some combination there may assist.

      Regards
      Ken

    3. Stevo wrote on

      I too have run into very few regressions or breaks in extensions since rapid release (maybe about 4 between ffx 4 and 8). I will take the memory and feature improvements any day. Even so, I think it’s pretty awesome that Mozilla is making the web better for browsers OTHER than firefox. The chrome users out there can be glad when Moz catches a security flaw within 24 hours because the the tempo of progress and competition is definitely increasing!

    4. Patricia wrote on

      You have the possibility to configure it in a way that Mozilla asks you if you want to install the updated version or not: Go to Configuration, Advanced, Updates (I have the version in Spanish so maybe these names are not exact, but you’ll find it out).

  6. Andrew wrote on

    Can you confirm whether or not 10.0.8ESR is affected ?

  7. Peter wrote on

    Please improve your testing procedures, Mozilla !!!
    Since Firefox 7 there have been too much issues, resulting in patches.

    Focus on the right areas: SECURITY, stability and web standards compliance. Stop messing around with the Firefox browser, so get rid off the planned Australis look and social media integration. This stuff is nonsense.

  8. Hristo wrote on

    What about Ubuntu user, who were automatically updated to version 16.0 and do not have the option to downgrade to 15.0.1?

    1. Gian-Carlo Pascutto wrote on

      A security fix will be available in the next few hours. (It already was built, but it’s still making its way through the mirrors and distribution channels) I suppose Ubuntu will pick it up immediately as they have in the past.

      1. Chris Coulson wrote on

        Hi,

        16.0.1 candidates for Ubuntu are available in https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa. We’ll push these out to users as soon as it is released.

        Chris

    2. anon wrote on

      Automatically? Only once you run an update! You can upgrade your system and ignore Firefox for now…

  9. Fred wrote on

    I was automatically upgraded to version 16 without knowing it! This behaviour is totally crap! Normally I wait a few days to update manually to a new version because of these errors which are always contained in new versions.

    Put back the power of update in the hands of the users! I consider switching to Opera, which respects the user rights.

  10. Julien Boyer wrote on

    Kudos for being honest and transparent about that. And for the quick fix.

  11. Glenn wrote on

    Maybe I’m reading it wrong… but how is this a “security” issue as opposed to a privacy issue? (or did you leave something out of the description–intentionally or otherwise)

    Thanks.

    1. Danny Moules wrote on

      Security is being used as a tool to protect your privacy. If your privacy is being jeopardised by a security vulnerability, then it’s a security problem.

      It’s like saying because business data is being stolen it’s a business issue, not a security issue 🙂

      1. Glenn wrote on

        Circular logic is seldom as convincing as one expects it to be.

    2. Granjow wrote on

      What if a URL contains a password, e.g. ftp://myuser:secretpass@myserver.foo?

      1. j-boo wrote on

        pants-pooping time? 😉

  12. Paco Martinez wrote on

    Come on. I trust in you

  13. Martin wrote on

    Once this is fixed (hopefully soon!), I would really appreciate some more details as the description of the security flaw is indeed quite vague.

    What exactly could have happened in the worst-case scenario?

  14. lolo wrote on

    I’ve something to confess: At first I did not understood this new release scheme with all new versions numbered as “major”… but that most of the times proves “minor” in user experience!

    In fact they are “major” in news flaws!

    Clap-Clap, keep the good job guys… up to be the new “Internet Explo(d|r)er”.

  15. Scouter Scot wrote on

    This is a shame. Not the security violation, but rather Mozilla’s brand of notification. How many millions of users are moms, kids, or NFPs that don’t know or care to know this site or those like it exist? Who notifies them, Mozilla? If a Google+ user hadn’t mentioned it in passing, I never would have known.

    1. Chris wrote on

      If you heard through Google+, then pretty much nobody else will ever hear about it 😉

      1. Ben wrote on

        What? Who updates their browser without taking at least a peek at what that update will do? This is the first issue marked as fixed on the info page which is linked to in the update dialog.

  16. Boka wrote on

    I will wait for 16.0.1

    1. Ant wrote on

      I guess the decades-old saying still holds, “Never install a point-O version.”

  17. JaSK wrote on

    Just clear your browsing history or use FirefoxPortable for today.

    Also I think Facebook is the only page on the internet that would actively exploit this vulnerability.

    So stay off FB for a day until a fix is released or clear ur history or use firefoxportable.

  18. Tom Kane wrote on

    Is Aurora 17 affected? And, does this problem with Firefox 16 affect all versions of windows and also Mac OS10.7?

  19. Ingo-Hanno Minke wrote on

    Ich habe Firefox komplett deanstilliert. Nach dem installieren von der Version 15.01 beanstandet das Secunia PSI und installiert sofort wieder Version 16!! Das soll eine Sicherheitsfirma sein?? Minke

  20. Ingo-Hanno Minke wrote on

    Ich habe Firefox komplett deinstalliert. Nach dem ich Firefox 15.01 installiert hatte. wurde durch Secunia PSI wieder Die Version 16 installiert. Das soll eine Sicherheitsfirma sein.
    Minke

  21. James wrote on

    Hi Michael,

    Are Firefox Nightly versions (e.g., 19.x) affected by this as well? (I’m assuming they are?)

    Thanks!

  22. Sean wrote on

    I’ve noticed precisely the same problem we had with the old UPDATE RELEASE. The first Major Number upgrade IS ALWAYS FLAWED, quickly followed by a patch. This is why we waited for two to three minors on the old system before jumping into the next major. Now we autoupdate into the busted version before we know if it works and really need to wait for the x.1 or x.0.1 version before accepting the next bit ‘o detritus.

  23. Andrew wrote on

    Should any of the dev-team be reading this and haven’t been too disgusted to stop yet …

    Thank you for quickly informing us of the vulnerability and working quickly to patch it. I would much rather have a software vendor that educates its users instead of keeps them in the dark to save face.

    As Granjow mentioned, there could potentially be situations where the user has visited webpages whose URI’s contain credentials or other sensitive information. I also wouldn’t care to have knowledge such as who I bank with or what communication services I use known to malicious parties that would exploit this vulnerability.

    Keep up the great work, Devs!

  24. Mike wrote on

    There is also another bug…..
    I tried to ‘upgrade’ to FF 16 on two machines, a standard PC and a Laptop – both running XP. After running the program, neither computer would re-boot on it’s own. After a long wait, I manually re-booted. Once booted, neither one had Firefox but, after a VERY long wait, the update eventually started. I may have to back to them and reload V15.0.1

  25. Andy wrote on

    What is the status for the beta builds?
    I see that 16.0b6 is available on the website – is this affected?
    Also my firefox help/about just says version 16.0 so not sure what version of 16.x is affected.

  26. Bryan Price wrote on

    Does this affect 17 and above (I’m running 19.0A1 right now myself…)?

    @Matt A. Tobin: As far as things go right now, I’m not seeing too much breakage of extensions.

    http://www.bryanlprice.com/extensionlst.html

    If you’re really worried about breakage, download a portable Firefox beta, and sync it with your current Firefox and see if everything works.

    1. mcoates wrote on

      Bryan,

      No this does not impact 17 and above.

  27. Vik wrote on

    Firefox is still one of the most secure browsers out there. I look forward

  28. Henry wrote on

    Are Firefox Beta and Aurora also affected?

    1. mcoates wrote on

      No, as of today, Firefox Beta and Aurora are not vulnerable.

  29. May wrote on

    > The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.
    Let me guess… Referer for wich website i’ve visited and javascript “document.location” in order to have acces to URL, wait… OMFG, every browsers are flawed! Women and children first!

  30. stoney wrote on

    I just read the article in news about v16, i went to firefox help about firefox to see what version i was on, it said 15 but then immediately downloaded and installed 16. how and why if 16 was removed????

    1. mcoates wrote on

      The updates are now live. That is why you have Firefox 16. If you go to the menu bar, click the Firefox menu and select About Firefox you should see version 16.0.1.

      More information on checking your version number and updating can be found here:
      http://www.mozilla.org/firefox/update/

      1. stoney wrote on

        cheers dude

    2. Valentin G. wrote on

      Probably because it had already downloaded the update, but it did not install it yet. When you restarted your browser it switched over to the new version.

      IMO this was blown out of proporrion. Mozilla could have easily kept quiet about this, but they didn’t. Just because they wanted to protect their users.

      Hat off to Mozilla.

  31. Melvin Alvarez wrote on

    ¿Complemento G Data CloudSecurity podría ser una solución para corregir esta vulnerabilidad?

  32. Critic wrote on

    Since this vulnerability seems to be critical enough for mozilla to take those extreme measures,
    I urgently need more information on that issue!
    – What do you mean when you say “URL Parameters”?
    – Are there any websites known right now that would have exploited that vulnerability in the wild?
    – Do Websites which handle sensitive information (e.g. online banking, Apple, Apple ID, Apple iCloud, Google, Google Mail, Amazon etc.) nowadays save any of those information like passwords in the URL so that an attacker might have compromised my E-Mail Accounts, iCloud Backups etc?
    – Do users who have been using FF 16 for 3 days now have to change all their passwords?
    – How was a downgrade to help, since FF 15 has several other known security vulnerabilities?
    – How likely is the existence of an exploit of the FF 16-issue in the wild? Is it easy to implement such a thing into a commonly used website?

  33. Wolfgang D. wrote on

    Thank you for your lightfast fix. Just installed 16.0.1

  34. Bob wrote on

    Still no official 64-bit version for Win64? I’d consider this a bug 😉

  35. StephanieX wrote on

    Stop complaining. Like business users, wait for a program to become stable before updating.

  36. Help wrote on

    I just got the famous – “Blue Screen of Death”.

    Q: Could it have been a result of the vulnerability?

    1. mcoates wrote on

      No, a blue screen would be completely unrelated to this issue.

  37. Andreas wrote on

    A few observations from a non-nerd user:

    1. I have only learnt today through BBC World that the security problem with Firefox 16 exists, and that this blog exists.

    2. Download of 16.0.1 was initialled automatically tonight, but it has not been possible to positively countercheck on the regular website whether this is the old problematic version or the promised safe update.

    3. In your blog above, the two bullets under “Update (Oct 11, 2012)” are absolutely unclear with respect to the key information needed, namely whether the mentioned release of the update refers to the old unsafe or the new safe version.

    4. Further down mcoates posts a blog saying “The updates are now live. That is why you have Firefox 16. If you go to the menu bar, click the Firefox menu and select About Firefox you should see version 16.0.1. ” So that reads as if I now had Firefox 16 AND 16.0.1 at the same time. Key information still missing.

    In short, clarity and accessibility opf information in such an unfortunate situation would be the top priority for Mozilla – instead, the customer has to search for it and then it is gobbledegook … Not impressing!

    Andreas

    1. mcoates wrote on

      Andreas,

      Thank you for your comment. I’ve added the fixed version number to the update at the top of the post. 16.0.1 is the current version and contains the patch for the identified issue.

      -Michael

      1. Eurythrace wrote on

        I’ve been a FF user since about FF 1.3 when it was new, but I’ve never seen anything like this most recent UPDATE. Can someone please explain why the UPDATE from FF 16.0 to FF 16.0.1 required ~21.7MB when the new install package for FF 16.0.1 is only ~17.3MB? Is there really that much compression in the install package? And did it really require what appears to be a complete refresh of the entire program to fix a “minor” security bug???

        Thanks in advance for your response.

        1. j-boo wrote on

          urp. and if you check your update history after installing version 16.0.1, it’s been wiped.

  38. io wrote on

    I use both, Chrome because has flash built-in, and use it with the integrated Google services, firefox without addons for security to browse the rest of the unsafe www, except for version 16.0 of course…

    I am browsing this page with chrome while updating ffx to 16.0.1, it doesn’t show up right, moved to ffx, it works.

    just saying

  39. tlr wrote on

    captcha not working?

  40. j-boo wrote on

    Confused. Firefox gave me an automatic update yesterday evening, I trusted them so I didn’t pay much attention. Just now saw article making me aware of the security problem, panic, because I know I was updated yesterday, and I know I visited some malicious sites (necessary evil). Still panicking, check my version, it says 15. Check my update history in firefox, it shows that version 16 was downloaded yesterday, but instead of Installed Successfully, it says Installation Pending. My firefox was up all night (fell asleep with it on), did they downgrade me back to 15 while I slept? Does the malicious website I visited after the automatic update yesterday now have all my passwords/urls for every other site I visited? Why was version 16 showing as downloaded but ‘Installation Pending’ in my update history, how did I get back to 15?
    So confused, I am but a humble caveman and I do not understand your strange modern devices. I hate technology and I wish we still lived in the dark ages. Automatic updates are off, off, off, FOR GOOD.

  41. Daniel wrote on

    Trolling?

    Really?

    Trolls can fuck themselves. Honestly Mozilla knows their shit… Chrome never has the experience nor the cohesion nor Firefox has.

    Firefox is by far the best and most solid web browser on Windows, it’s range on addons and design are far superior than Chrome. Already on 16.0.1

  42. Rajesh wrote on

    Its October 12 IST and as of today Firefox is safe. Safest of all the browsers. Even chrome tracks everything, uploading data to their servers. I trust in Firefox !!

    SpreadFirefox.com

    Long live firefox !!.

  43. Andy Scott wrote on

    I just checked ‘About Firefox’ to check I was on version 15. I was, but checking automatically triggered the install of 16. No way to stop it. Like j-boo, I’m never using automatic updates again.

  44. Joe King wrote on

    Why has Mozilla stopped PGP-signing releases available under http://releases.mozilla.org/pub/mozilla.org/ for versions 16.x? Until 15.x every release had an accompanying signature. There are currently security challenges all over Mozilla it seems.

    1. mcoates wrote on

      Joe,

      We are signing the sha512sum file:
      e.g.
      http://releases.mozilla.org/pub/mozilla.org/firefox/releases/16.0.1/SHA512SUMS
      and
      http://releases.mozilla.org/pub/mozilla.org/firefox/releases/16.0.1/SHA512SUMS.asc

  45. Jan Schejbal wrote on

    Could you please post a link to bugzilla or anything else with more detailed information about the issue?

    1. Jesse Ruderman wrote on

      https://bugzilla.mozilla.org/show_bug.cgi?id=799952 – Cross domain access to the location object

  46. Firefoxed wrote on

    The following just blew my mind.

    There’s a link to this blog article on the release notes for 16.0.1:
    http://www.mozilla.org/en-US/firefox/16.0.1/releasenotes/

    When I click on the link on that page to this blog article, I get a rather startling error message:

    “Untrusted Connection […] You have asked Firefox to connect securely to blog.mozilla.org, but we can’t confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site’s identity can’t be verified. […] If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn’t continue.”

    So Firefox doesn’t trust Mozilla’s own security blog, and flags it as a potential security risk! C’mon guys, this doesn’t exactly inspire confidence! What the bleep’s going on here?!

    1. mcoates wrote on

      I went through the steps you described and I don’t receive any certificate warning messages and the certificate chain is valid and trusted within Firefox. I confirmed this on a second machine as well.

      There is additional information at the following link on certificate errors.
      http://support.mozilla.org/kb/connection-untrusted-error-message

      1. Firefoxed wrote on

        Many thanks for taking the time to respond mcoates – I appreciate it.

        I’m still getting the “This Connection is Untrusted” warning when I click on that link (which is the URL for this blog page prefixed with “https://”.

        In the technical details of the warning it says:

        blog.mozilla.org uses an invalid security certificate.

        The certificate is only valid for blog.mozilla.com

        (Error code: ssl_error_bad_cert_domain)

        There are a number of links on https://www.mozilla.org/en-US/firefox/16.0.1/releasenotes/ which begin with https://blog.mozilla.org/ and which all present the same issue. Just to let you know.

  47. Hans wrote on

    Just installed it on Ubuntu 11.04. I noticed that the information from the tag of the first website you load will stay visible during the whole session. It doesn’t update when you surf elsewhere.

  48. osos wrote on

    [dalaoqi@oshell 下载]$ firefox
    /usr/lib64/firefox/firefox: symbol lookup error: /usr/lib64/xulrunner/libxul.so: undefined symbol: PR_SetCurrentThreadName

  49. tony wrote on

    Will the user agent string for 16.0.1 be fixed soon? Was never updated in the patch and still reads 16.0. Thanks!

    1. jh wrote on

      The UA string was modified in firefox 16 and going forward to remove the patch level of the browser.

      This was done to reduce fingerprinting (how easily a site can uniquely identify a user) and for protection. Non patched browsers dont look different the patched browsers.

      For more information the bug is: https://bugzilla.mozilla.org/show_bug.cgi?id=572659

      1. tony wrote on

        thanks for the reply, and that’s fine, i wasn’t referring to the Gecko patch level, but shouldn’t the user agent be:

        Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0.1

        Not:
        Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0

        That’s how it’s always been up until now. Without the .1 at the end there is no way to distinguish between a vulnerable 16.0 and a patched 16.0.1. How can network admins secure their networks against a vulnerable browser and force people to update to 16.0.1 without also blocking 16.0.1?

        Maybe I’m missing something.

      2. tony wrote on

        I guess I may have misread your comment at first, it sounds like your are saying this has been done on purpose to avoid a site targeting certain browsers. I find this to be an interesting decision, and one that could hurt in the long run. Interested in seeing this pan out. I’m unfamiliar with how fast Firefox automatically patches, so hopefully these browsers stay updated.

        1. Eurythrace wrote on

          I find the dropping of the minor version numbers in the UA to be of great relief. As pointed out in jh’s original response, it made fingerprinting website visitors much easier. Your decision to check for this info on your website is exactly WHY it was dropped. It was putting too much user info in the hands of “strangers”. It is up to the individual user to protect themselves, thank you very much. Caveat emptor.

          1. tony wrote on

            Oh I understand, and I see why this is important from a home user perspective. I don’t own a website, but user agents are used to secure corporate networks by blocking vulnerable browsers. There is now no way to block users from using a vulnerable 16.0 without also blocking 16.0.1. I can see how majority of users are just home users and would benefit from this decision, but there are some downsides as well that affect people.

          2. tony wrote on

            While I understand why this is true for the average user, this is not why I was concerned. I don’t have a website or wish to track this information. I am just point out that while this is good for the average home user, it is not good for corporate networks that wish to protect themselves against vulnerable browsers. A large network can’t block vulnerable browsers without also so blocking the patched ones. Knowing what version browser people are using can help alert people to patch and update their machines. Even Mozilla’s own website will have trouble knowing whether users are using the most up to date version of their product. There are both upsides and downsides to this decision.

            1. Eurythrace wrote on

              Tony,

              Yes, a corporate INTRAnet is a totally different environment. If u really want to track potential browser vulnerabilities by version number, perhaps u can make a corporate agreement with Mozilla to retrieve the same info they must be sending when FF checks for updates. Perhaps a small special add-in/extension on the client side would suffice to inform your servers and alleviate your concerns.

              Cheers.

  50. Wilbur wrote on

    It’s wasn’t just a security issue. Version 16.0 was completely dysfunctional. After 10 to 15 min, it would stop fetching websites and simple say “Looked up [domain name]” and then stop.

    Restarting it would recover… for 10 to 15 min and the problem would repeat.

    I checked for update (via Ubuntu) or bug reports on the lock up and found none. This morning I noticed that Firefox was using up 5.1 gigs of memory. There are and have been for a long time serious memory leak issues, but that was beyond the usual.

    Fortunately, Ubuntu had an update this morning, and after a couple hours of running firefix is only using 1 gig of memory. Though I suppose by the end of the day it will be up to 3 or 4 as usual.

    1. Ricz wrote on

      first day on FF16, 9 hours of work, 103 different urls opened, 11 tabs still open, most with firebug or 3d view, running smoothly, “just” 231mb of ram so far on win7/i7/6gb ram, and a total of 15 minutes cpu time (skype used 37). Also used a couple of hours on ubuntu, and didn’t notice strange memory usage. Maybe the issue is with your system or super-super heavy pages or some extensions?

  51. Shailesh wrote on

    Rapid Release gets new features into the hands of end-users faster, and is a necessity to compete with Google. We don’t want to go back to the old days of waiting 6-12 months for a new release, where lots of new features that were ready sooner would have to wait months for the release to see the light of day. Yes, occasionally, some nasty bugs will make it into the release, but that doesn’t seem to be much different from the way it was before. Mozilla needs to think about re-architecting the process security of Firefox the way Google Chrome has done, and then paying bounties for bugs, otherwise, Chrome is just going to pull away over time.

    1. The oldie wrote on

      But they should perhaps be better tested. This release 16 and 16.0.1 has flickering menues running under Wn7 64 bit. I went back to 15… which is ok in this respect, but forgot to turn off auto updates…
      I have seen that this has been a problem for others also in eralier releases.

  52. Bryan Price wrote on

    Sorry about the spam, but can I leave a message without the captcha security code?

    1. Jesse Ruderman wrote on

      Apparently you can! I filed https://bugzilla.mozilla.org/show_bug.cgi?id=801313 on the missing captcha.

  53. msth67 wrote on

    Such information should be publicized more rapidly and more evidently by Mozilla,I too would say than learning it from other web sources and than having to dig around for further enlightenment doesn’t look too good:what about also using Mozillazine to notify such unforeseen issues,and furthermore why not publicize the link to the bug,since at this point probably the folks who shouldn’t know in fact know already?

    1. pieroxy wrote on

      Well, maybe it is just not a big deal since there is no exploit. One can think that an exploit is highly unlikely on a browser released 3 hours ago. And a patch that quickly makes it much more unlikely that an exploit will ever see the light of day.

  54. Seen wrote on

    Really? so I get the popup to update, I update my firefox now I’m reading this and its telling me to downgrade

    1. mcoates wrote on

      As of 12pm PT on Oct 11 the patched version (16.0.1) was distributed to all users. If you’ve upgraded since that time you will be on the patched version.

      More information on checking your version number and updating can be found here:
      http://www.mozilla.org/firefox/update/

  55. A pissed off user. wrote on

    This release of information was handled very poorly.

    Next time something like this happens, you should post something on your main page indicating the problems. Be upfront. Do not hide it! That is how you lose TRUST!

    I updated to 16.0 when it was released. Went to do a few more machines the next morning and the update was gone, but I could find NO explanation why. Unacceptable.

    Should the type of handling in this situation present itself again, FF will be removed from all of my personal machines as well as from our Corporate network and I would be forced to recommend anyone I know that uses the internet, against using this product.

    1. Dave wrote on

      you should also demand your a refund

      1. John Meloche wrote on

        lol @ Dave. I agree! The fact he posted “pissed off customer” lol… customers pay money. I say, enjoy the fact you get such an incredible software free. Everyone faces problems. The fact that communication could be improved for the next time something happens doesn’t warrant being jerk in forum.

    2. Slightly Sarcastic wrote on

      Pull your head out and take a deep breath of fresh air.
      Mozilla does not need to explain why they pulled the update, just be glad they did.
      You don’t want to post something like that on your “Front Page” because then you get people working hard to exploit it. That whole “TRUST” thing? Yea, Mozilla pulled the updates, worked on a patch, released a patch a day later. TRUST that they are indeed working hard to keep your browsing sessions as safe as they can.

      Threatening to “pull Mozilla from your personal and corporate machines” is about as whiny as you can get. You want Mozilla to pay you, too ? Put your money on a silver platter and butler it to your front door. ” Here you go sir, we are sorry for the screw up, won’t happen again.”
      Get real, bozo.

      The nerve of some people.

    3. gs wrote on

      You get what you pay for.

      1. gharlane wrote on

        atm I’m hard pressed to come up with the name of a browser you do have to pay for….. so your comment and attitude fall a bit flat.

    4. ffuser wrote on

      @A pissed off user:
      When it comes to a mission critical or corporate networked computers:
      1. Never setup auto-update for any application or download / install updates
      2. Never install a newly released application or update the same day unless you are aware of the bug-fix etc. and have a good backup for a quick roll-back.
      3. Read release notes, new features, known issues etc. before applying the update
      4. Download the update and install it form a local source so all your versions are consistent and you have a backup copy of the update

      “Should the type of handling in this situation present itself again, FF will be removed from all of my personal machines as well as from our Corporate network ” – This happens with other applications as well… whats your solution? remove them and switch to another app?

  56. Aron wrote on

    Since I’m absolutely in love with FF, I figured I might give the automatic update idea a go. Thankfully this incident came as a wake-up call, so while I’m not giving up on the good cause, I switched off automatic updates for good and started to make the effort to finally fine-tune my Opera as a backup – so yeah, good faith has been slightly shaken, I’ll be more careful before accepting any .0 version for sure. Good job churning out the fix quickly though, it restored some trust. Keep up the good work!

    1. Daniel Veditz wrote on

      And what happens when you forget to check for updates manually every day? You’ll go days or weeks on an old version rather than the one day in this case. Not sure you’ve learned the right lesson from this incident.

  57. Ben Reaves wrote on

    I learned about it from Marketplace Tech Report this morning and within half a day I see the update. I think this is pretty *good* response compared to other software vendors. Makes me want to stay, not switch

  58. zbravo wrote on

    I really don’t know why do we have only major releases. Since what, version 4? I can only get major version number releases.

    I don’t think that would be the most correct approach. We should be at around version 6, probably with the change of looks to the “like-office” menu.

  59. mr peabody wrote on

    How many of my current programs will no longer be supported? This seems to happen every time I allow one of these updates to install. Very frustrating.

  60. Jim wrote on

    For a major web browser, the frequency of version releases is a bit over the top. How about dramatically lowering the frequency of releases, and getting things right? Besides, who wants to update every week?

    1. Jim Russell wrote on

      I do.

  61. Scott wrote on

    “As a precaution, users can downgrade to version 15.0.1 by following these instructions [http://www.mozilla.org/firefox/new/]. ”

    Of course, when you go to that link, there are no instructions, but rather a link download the faulty 16.0.1. Smooth move.

  62. Another Pissed Off User wrote on

    Who is that mastermind chief programmer of firefox?

  63. Another Pissed Off User wrote on

    Who is that firefox mastermind chief programmer?
    Hand out Email Adress and Telefone Number!

  64. Bart Benus wrote on

    So Mozilla developers are less than perfect. This is shocking news indeed: I was told they were Super Humans from outer space, that never make a single mistake, not ever! Thanks, you people at Mozilla, for all your honesty and excellent work: I will not even consider using anything else.

  65. john o neill wrote on

    hi,
    when i right click on a webpage to send a link it is no letting me do this any suggestions or comments please?

    1. Jesse Ruderman wrote on

      You can send a link to the page from the File menu (or Firefox menu on Windows). See https://bugzilla.mozilla.org/show_bug.cgi?id=786185 and https://bugzilla.mozilla.org/show_bug.cgi?id=239307

  66. Security Code is blank, no image wrote on

    Security Code is blank, no image

  67. Security Code is still blank, still no image wrote on

    Security Code is still blank, still no image

  68. Firefox Fanatic wrote on

    Firefox is so cool! Go Vixens!

  69. Cylon wrote on

    Hi
    from one night to the next morning, my Firefox 16.0.1. has stopped working. Other browsers do work,but not firefox. I made no changes in my firewall, nothing.
    I have uninstalled Firefox and reinstalled it again, but doesn’t work

    Can anyone gie me any solution?, Thanks

  70. Markus wrote on

    How can I downgrade to Thunderbirg version 15?

  71. josh wrote on

    why is the 16.0 version still supplied for Andoid?
    The 16.0.1 version is already days available. Please supply it to the Google Play Store.
    Now every day I get a reminder to upgrade my 15 version to 16.0, the one with security bug that I don’t want.
    Please withdraw the buggy version or supply the patched one.

    1. mcoates wrote on

      The android version was patched and released at 9pm PT on Oct 10. You’ll see that it is version 16.0.1

      https://play.google.com/store/apps/details?id=org.mozilla.firefox

  72. Jonau wrote on

    Firefox used to be a great product and secured ( relatively ).
    Today Firefox is worst than Microsoft product.
    I will definitely switch to another web browser.
    Every good thing has an end and this is an end of Fire Fox.

    1. pieroxy wrote on

      Just out of curiosity, what exactly do you find worse in Firefox than in Microsoft?

      To me, if anything, this little thing proved that Mozilla is *super fast* in releasing patches for security vulnerabilities. Much more so than Microsoft is.

      1. TubeLugs wrote on

        Umm, “super fast” as in “security patches break other things because they are insufficiently tested”?

  73. Mase wrote on

    I was unlucky enough to have downloaded the update while making an online purchase. Now I am certain my CC has been compromised. Have been tracking certain items on my wish list suddenly they were available for unbelievable prices. It was only AFTER “purchasing” these items that I realized that the browser may have been compromised. So now I am with Aron, I have permanently turned off auto updates and I may never use FF the same way again. Will still use it to browse, but never for anything serious. Thought this kind of thing only was supposed to happen to IE users.

    1. Daniel Veditz wrote on

      Mase: any troubles you’re having are nothing to do with the security flaw described here.

      1. while you can download updates while browsing, you have to restart Firefox to apply the update. There’s no way anything could change in the middle of a purchase.
      2. the flaw described in this article only leaked the address (http://etc) of the page you were visiting. Your CC number is never in the URL, you enter it into a form and post back to the server.

      Were you “tracking” the items using a wish-list feature of the on-line store? The store obviously knows that information and may be trying to entice you. Were you “tracking” them by repeatedly visiting them on a store site? The store knows that, too (unless you use private browsing and don’t log into your store account), and could be trying to entice you. Nothing to do with this flaw.

      Do you visit http://www.mozilla.org/plugincheck regularly to make sure your 3rd party plugins are up to date? If not, and especially if you have Java installed, then you may well be compromised — but not through Firefox itself. See the next article in this blog, “Click-to-Play Plugins, Blocklist-Style”, for our plans for dealing with that issue.

      1. Mase wrote on

        Impact:
        The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.

        This is exactly what happened to me. I’ve made dozens of purchases from this very reputable site for years with absolutely zero problems. Then on 10/12, a few items suddenly dropped in price. Not once, not twice but on at least a DOZEN different unrelated items. All from the exact same seller whom I had never previously heard of in my 7-10 years of making purchases. At the time, I could not believe that all these items had suddenly become available and VERY affordable. It seemed almost too good to be true. Thinking it was safe to try I purchased one of the items. Afterward, I noticed my FF browser was acting a little wonky. I logged out of the site and closed the browser like I always do. Still feeling a little suspicious, I ran all my protection software (anti-virus, spyware, anti-trojan, rootkit, etc all in safe mode then again in regular mode). Everything ran with zero detections so I relaxed a bit. It was only after trying to open FF later that I got alerts from my firewall that FIREFOX browser was trying to access something in connection with explorer.exe. Now I am pretty certain after reading the IMPACT provided here that the sites URL may have been accessed since I visit the site and search for items almost every day (but don’t log on). It has all the feelings of a phishing site. But I am no expert. I only know it’s not feeling right. So after running all that software again (for safe keeping), I decided to go back to a previous date before the update. Which brings me to this page. End of story.

        1. Daniel Veditz wrote on

          “Now I am pretty certain after reading the IMPACT provided here that the sites URL may have been accessed”

          That’s not how this flaw works. A malicious site can only read the URL you browse in a frame inside that site (which could visually be the whole tab, but the URL at the top would remain the attacking domain) or if the malicious site opens a new window or tab and you then browse in that. It cannot read arbitrary URLs out of your history or from windows unrelated to the malicious site.

          “I got alerts from my firewall that FIREFOX browser was trying to access something in connection with explorer.exe”

          This flaw most definitely can’t do THAT.

          You may have ad-ware installed that’s either too new to be detected or skirts the legitimacy line enough (“informed consent” in the form of a buried opt-out checkbox in an install) that they’re afraid to call it malware because they could get sued.

      2. Mase wrote on

        btw, you certainly can update the browser in the middle of a purchase. All you have to do is HELP tab and select ABOUT FIREFOX in the drop down menu. Once you do this FF will search for, download and then INSTALL the update all without closing the window. Then you will have to restart FF for the update to take place.

        1. hillbilleter wrote on

          Mase, what you have done is NOT to update in the middle of a purchase, by your own description. Your own statement, “Then you will have to restart FF for the update to take place” proves that all you have done is a simple download, not an installation. And the website that is worrying you may have improved its cookie placement procedures and put cookies in your browser to follow your habits. That’s what they do. Amazon comes to mind. After that, when you browse anywhere that allows those cookies to “talk” with a site that allows ads, the ads are trying to sell you things you’ve shown an interest in before. If you want to get ride of your cookies to test it, that may set your mind at ease.

  74. Rafael wrote on

    como voltar se o programa faz a atualização automatica, vcs deveriam ver esses erros antes de mandar o upgrad do navegador

  75. Raj wrote on

    Kaspersky Internet Security 2013’s Safe Money feature doesnt work on Firefox 16.0.1
    Now im not starting a debate on how good or bad Kaspersky is, but point is its a popular anti-virus app and the fact that it doesnt work with the new Firefox makes people jittery. My organisation uses Kaspersky on all the machines and since the amount of online transaction wen do is large, we are forced to use Internet Explorer and i hate it…. so who looks into this??

  76. João Dantas wrote on

    I couldn’t login to this bank site since the Firefox 14.0 because of non compatibility with the security plugin. With the 16.01 version things went worse, and now Firefox crashes before it can open this page (Banco do Brasil).

  77. Matthew Atkinson wrote on

    When you issue these releases, please give times that everyone can understand.

    ’12pm PT on Oct 11′ requires me to go and look up what ‘PT’ means. Wikipedia’s entry for PT has loads of entries, but none of them are for a timezone.

    Can you either give the time in UTC, which everyone knows how they relate to, or at the very least explain what the offset between PT and UTC is?

    1. David wrote on

      http://en.wikipedia.org/wiki/Pacific_Time_Zone

  78. puru singh wrote on

    Been in love with Firefox for a long time. Love everything ’bout it, specially its smooth scrolling prowess. Then this had to happen but fortunately upgraded as soon as the upgrade was available so its like ok. Only grudge is the Kaspersky compatibility issue. Tryin’ out v17.0.1 and Aurora at the moment.

  79. Aunty wrote on

    I’m working on a second hand laptop and I’m not sure how much clear memory it has so I don’t want a stream of updates to clog it up. When I was offered the original version I read the small print and they made it clear it had little bugs so I opted not to update. The old one that everyone went back to was still working fine. If you do take the offer to be the first to try something you have to be prepared to encounter little glitches. You can report these bugs but you can’t really complain – especially if it’s free.

  80. Mystery Man wrote on

    so much gaga on just one software? Give me a break!

  81. Don wrote on

    I keep getting asked to upgrade immediately. I usually do, but for some reason, this time, read these comments first. Glad I did.

    You said “Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.”

    I’m waiting…

    I’m on 15.0.1 and have not updated. Things appear to work fine. Reading the comments, 16.0.1 sounds faulty. When you have these new “patches” ready, can you clearly say that they fix whatever problems are in 16.0.1 and are ok to allow an update on 15.0.1?

    I’m not a tech guy, just a user that wants to continue with FireFox.

  82. Rod F wrote on

    I have installed V16.0.1 several times and on all occasions the following website has hijacked the browser. I have been following the process since last week when the vulnerability of V16.0.0 was identified and when I had first installed it on my new laptop. I tried V15 as well but that didn’t change anything. Today, I felt secure that it was now safe to try it again with the same result. Changing my homepage does not solve the problem either. I had also taken it to a computer repair shop to have it cleaned before re-installing it today. What do I do?

    http://www.ggle.org.uk/index.php?hp=1&OVKWID=ff3

  83. Dave Steckel wrote on

    16.01 Thunderbird doesn’t auto remove junk. When you try to check move junk mail to folder, the ok doesn’t work. So you have to manually recheck each junk mail and click not junk then click junk to get rid of it. And 16.01 doesn’t put the junk in the junk folder. If it isn’t fixed soon, do we have to reinstall the last working 15.? load?

  84. Robert Kann wrote on

    I downloaded a Firefox upgrade and Babylon took over my firefox browser and I couldn’t get rid of it. I had to pay $130.00 to have someone take off of my computer. How can I guarantee if I go back to firefox that I will be safe without this happening again.

    Robert