Security Vulnerability in Firefox 16

mcoates

155

Update (Oct 11, 2012)
  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Issue:
Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.

 

Impact:
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.

 

Status:
Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.  As a precaution, users can downgrade to version 15.0.1 by following these instructions [http://www.mozilla.org/firefox/new/].  Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.

 

Michael Coates
Director of Security Assurance

155 responses

  1. Don wrote on :

    I keep getting asked to upgrade immediately. I usually do, but for some reason, this time, read these comments first. Glad I did.

    You said “Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.”

    I’m waiting…

    I’m on 15.0.1 and have not updated. Things appear to work fine. Reading the comments, 16.0.1 sounds faulty. When you have these new “patches” ready, can you clearly say that they fix whatever problems are in 16.0.1 and are ok to allow an update on 15.0.1?

    I’m not a tech guy, just a user that wants to continue with FireFox.

  2. Rod F wrote on :

    I have installed V16.0.1 several times and on all occasions the following website has hijacked the browser. I have been following the process since last week when the vulnerability of V16.0.0 was identified and when I had first installed it on my new laptop. I tried V15 as well but that didn’t change anything. Today, I felt secure that it was now safe to try it again with the same result. Changing my homepage does not solve the problem either. I had also taken it to a computer repair shop to have it cleaned before re-installing it today. What do I do?

    http://www.ggle.org.uk/index.php?hp=1&OVKWID=ff3

  3. Dave Steckel wrote on :

    16.01 Thunderbird doesn’t auto remove junk. When you try to check move junk mail to folder, the ok doesn’t work. So you have to manually recheck each junk mail and click not junk then click junk to get rid of it. And 16.01 doesn’t put the junk in the junk folder. If it isn’t fixed soon, do we have to reinstall the last working 15.? load?

  4. Robert Kann wrote on :

    I downloaded a Firefox upgrade and Babylon took over my firefox browser and I couldn’t get rid of it. I had to pay $130.00 to have someone take off of my computer. How can I guarantee if I go back to firefox that I will be safe without this happening again.

    Robert

More comments: 1 3 4 5