Security Vulnerability in Firefox 16



Update (Oct 11, 2012)
  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.


The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.


Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.  As a precaution, users can downgrade to version 15.0.1 by following these instructions [].  Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.


Michael Coates
Director of Security Assurance

155 responses

  1. Laura Brouillette wrote on :

    I just downloaded 16, should I put back the 15…have Windows7!!

    1. mcoates wrote on :

      There is no need to revert to version 15. Version 16.0.1 contains the fix to this issue.

      More information on checking your version number and updating can be found here:

  2. ffover9000 wrote on :

    HowToFix: download Google Chrome. /rofl

    1. Pseudonymous Neuron wrote on :

      Oh, because of course Chrome has far fewer vulnerabilities than Firefox ¬_¬

    2. Ajnasz wrote on :

      You know, there is only one issue with Chrome, but that’s a blocker one: it’s not Firefox.

    3. Scorpion3003 wrote on :

      I don’t know what so funny, chrome just released another update after releasing one on Monday. Nice try on the trolling.

      1. mad.madrasi wrote on :

        I think you’re talking about Chrome to That is most likely because of update to Adobe Flash player. Chrome has frequent updates because of the onboard flash player and pdf (foxit) viewer. Now that Firefox also has pdf viewer, I guess we will see more such releases.

    4. silly puppy wrote on :

      Thank you for posting this. It has deepened the conversation and added insight I wouldn’t have picked up on my own.

    5. saeed wrote on :

      google chrome stills are your information including private and public ones and it does that without letting you notice that..firefox is the best!

    6. Wesley wrote on :

      I say “no thanks” to google big brother browser. Remember with google, your data is the product up for sale and in many cases, for free.

      1. Audrey wrote on :

        They don’t sell it, like facebook, they allow there database to be used and they target you. The “what you call buyers of personal info” don’t actually see that info at all. They enter parameters and from that users are targeted while browsing by the users likes and dislikes. Google, and facebook target you and not the companies. They don’t receive a list unless they hack the system and steal it.

      2. Naivity wrote on :

        Oh Wesley, dearest Wesley, are you not aware how Firefox even stays afloat?

        For Google, they need Firefox for market share, at the moment. Eventually Firefox within 3-5 years will lose its share and Google will eventually toss Firefox to the curb.

  3. Matt A. Tobin wrote on :

    another “success” of Mozilla’s RapidRelease program.

    I am very disappointed that Firefox builds that turn releases are not properly tested and have unprecedented stability, security, and reliablity issues ever since the beginning of this so called RapidRelease program.

    The main issue is RapidRelease != Rapid Development. The actual development of the browser’s code base has not accelerated and with constant reversion and pulling of new code from the various build channels filtering down to the Release channel we are not getting nearly the compelling and stable firefox that made it the product we came to use and care about.

    With features and code being backed out you are left with mixing of new and old code which presents unpredictable results in the so called “Final” product which has affected stability and reliability in the browser since Firefox 5 began the trend.

    Obviously this was a marketing decision made with no regard for code stability or testing. It is and has harmed firefox so much more than the apparent slowness of the previous release cycle ever did.

    Why chrome is more successful than ever is that they actually develop very fast and thus their releases are faster but as it stands today nothing is faster about Firefox except how the constant major version number increases.

    If Mozilla is not up to the task of providing an end to end experience with a fast cycle of releases it should return to the tried and true method of releasing updated versions when they actually reach a specific standard for code and functionality. This is how Firefox became popular and at one time one of the most used browsers aside from Internet Explorer which was only used “because it was there”.

    For the time being I am currently using a stable and functionally complete fork of the Firefox codebase known as Pale Moon. It does not conform to the ideals of releasing regardless of stability or completeness until such time either the actual development of firefox increases to match it’s rapid release model or they return to a more sane release cycle that is in line with the speed of actual development.


    Matt A. Tobin
    Commanding Officer
    Binary Outcast

    1. Gian-Carlo Pascutto wrote on :

      >another “success” of Mozilla’s RapidRelease program.

      The issue is completely unrelated to the Rapid Release process. It was not detected in 18 weeks of testing, and discovered because only the actual release gets far wider exposure than any testing release. A longer release process would just have meant it would have taken even longer for the issue to be discovered, and longer to fix.

      Because of the Rapid Release process, a security fix will be available less than a day after the issue was first discovered, and before exploits are in the wild.

      >For the time being I am currently using a stable and functionally complete fork of the Firefox
      >codebase known as Pale Moon.

      Which is slower to deploy security fixes, so this is a truly horrible argument to make. If you object to the rapid release, there are the Firefox ESR releases, which do not get any new features but still get security fixes at the same, faster pace.

      1. dav2 wrote on :

        I’m still running 3.6.28 because of noncompatible add-ons. Anything I can do about security issues? (Also 3.6.28 is the last one that runs on Apple Tiger O/S, if I am not mistaken.)
        I use add-ons – NoScript RequestPolicy, WOT, etc.

      2. Powerlord wrote on :

        There’s one major issue with Rapid Release that should be made obvious from what you said:
        A product with a 6-week release cycle has an 18-week test cycle. Meaning that you’re testing version 18 (or 19) now with 16 having just been released. Meaning that any bugs that do crop up that you miss that AREN’T serious won’t be fixed for several versions down the line.

    2. A wrote on :


      The rapid release cycle is an extremely shoddy idea, and should be stopped.

      > Because of the Rapid Release process, a security fix will be available less than a day after the issue was first discovered, and before exploits are in the wild.

      These security fixes are supposed to released as incremental updates, not a whole new I-want-a-higher-number-waaah update.

  4. Westly wrote on :

    I am glad that the people of Mozilla is working hard to solve this ‘bug’. Keep up the good work!!!

  5. Zupfis wrote on :

    The rapid releases would be fine with me, if Firefox would ask before updating and include a list things that will be broken after the release.

    Given that with every single update since 5.0, at least one extension was broken, it is very annoying. Especially because it happens at random times without anykind of prior warning.

    1. Tom wrote on :

      I do not understand that, I’m using 10 extensions and since version 4 I never had problems with any extension after an update.

    2. ken wrote on :

      Have you noticed the option under the menu Options, Options, Advanced, Update, Firefox updates? Some combination there may assist.


    3. Stevo wrote on :

      I too have run into very few regressions or breaks in extensions since rapid release (maybe about 4 between ffx 4 and 8). I will take the memory and feature improvements any day. Even so, I think it’s pretty awesome that Mozilla is making the web better for browsers OTHER than firefox. The chrome users out there can be glad when Moz catches a security flaw within 24 hours because the the tempo of progress and competition is definitely increasing!

    4. Patricia wrote on :

      You have the possibility to configure it in a way that Mozilla asks you if you want to install the updated version or not: Go to Configuration, Advanced, Updates (I have the version in Spanish so maybe these names are not exact, but you’ll find it out).

  6. Andrew wrote on :

    Can you confirm whether or not 10.0.8ESR is affected ?

  7. Peter wrote on :

    Please improve your testing procedures, Mozilla !!!
    Since Firefox 7 there have been too much issues, resulting in patches.

    Focus on the right areas: SECURITY, stability and web standards compliance. Stop messing around with the Firefox browser, so get rid off the planned Australis look and social media integration. This stuff is nonsense.

  8. Hristo wrote on :

    What about Ubuntu user, who were automatically updated to version 16.0 and do not have the option to downgrade to 15.0.1?

    1. Gian-Carlo Pascutto wrote on :

      A security fix will be available in the next few hours. (It already was built, but it’s still making its way through the mirrors and distribution channels) I suppose Ubuntu will pick it up immediately as they have in the past.

      1. Chris Coulson wrote on :


        16.0.1 candidates for Ubuntu are available in We’ll push these out to users as soon as it is released.


    2. anon wrote on :

      Automatically? Only once you run an update! You can upgrade your system and ignore Firefox for now…

  9. Fred wrote on :

    I was automatically upgraded to version 16 without knowing it! This behaviour is totally crap! Normally I wait a few days to update manually to a new version because of these errors which are always contained in new versions.

    Put back the power of update in the hands of the users! I consider switching to Opera, which respects the user rights.

  10. Julien Boyer wrote on :

    Kudos for being honest and transparent about that. And for the quick fix.

  11. Glenn wrote on :

    Maybe I’m reading it wrong… but how is this a “security” issue as opposed to a privacy issue? (or did you leave something out of the description–intentionally or otherwise)


    1. Danny Moules wrote on :

      Security is being used as a tool to protect your privacy. If your privacy is being jeopardised by a security vulnerability, then it’s a security problem.

      It’s like saying because business data is being stolen it’s a business issue, not a security issue :-)

      1. Glenn wrote on :

        Circular logic is seldom as convincing as one expects it to be.

    2. Granjow wrote on :

      What if a URL contains a password, e.g.

      1. j-boo wrote on :

        pants-pooping time? 😉

  12. Paco Martinez wrote on :

    Come on. I trust in you

  13. Martin wrote on :

    Once this is fixed (hopefully soon!), I would really appreciate some more details as the description of the security flaw is indeed quite vague.

    What exactly could have happened in the worst-case scenario?

  14. lolo wrote on :

    I’ve something to confess: At first I did not understood this new release scheme with all new versions numbered as “major”… but that most of the times proves “minor” in user experience!

    In fact they are “major” in news flaws!

    Clap-Clap, keep the good job guys… up to be the new “Internet Explo(d|r)er”.

  15. Scouter Scot wrote on :

    This is a shame. Not the security violation, but rather Mozilla’s brand of notification. How many millions of users are moms, kids, or NFPs that don’t know or care to know this site or those like it exist? Who notifies them, Mozilla? If a Google+ user hadn’t mentioned it in passing, I never would have known.

    1. Chris wrote on :

      If you heard through Google+, then pretty much nobody else will ever hear about it 😉

      1. Ben wrote on :

        What? Who updates their browser without taking at least a peek at what that update will do? This is the first issue marked as fixed on the info page which is linked to in the update dialog.

  16. Boka wrote on :

    I will wait for 16.0.1

    1. Ant wrote on :

      I guess the decades-old saying still holds, “Never install a point-O version.”

  17. JaSK wrote on :

    Just clear your browsing history or use FirefoxPortable for today.

    Also I think Facebook is the only page on the internet that would actively exploit this vulnerability.

    So stay off FB for a day until a fix is released or clear ur history or use firefoxportable.

  18. Tom Kane wrote on :

    Is Aurora 17 affected? And, does this problem with Firefox 16 affect all versions of windows and also Mac OS10.7?

  19. Ingo-Hanno Minke wrote on :

    Ich habe Firefox komplett deanstilliert. Nach dem installieren von der Version 15.01 beanstandet das Secunia PSI und installiert sofort wieder Version 16!! Das soll eine Sicherheitsfirma sein?? Minke

  20. Ingo-Hanno Minke wrote on :

    Ich habe Firefox komplett deinstalliert. Nach dem ich Firefox 15.01 installiert hatte. wurde durch Secunia PSI wieder Die Version 16 installiert. Das soll eine Sicherheitsfirma sein.

More comments:1 2 3 5