Security Vulnerability in Firefox 16



Update (Oct 11, 2012)
  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.


The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.


Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.  As a precaution, users can downgrade to version 15.0.1 by following these instructions [].  Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.


Michael Coates
Director of Security Assurance

155 responses

  1. James wrote on :

    Hi Michael,

    Are Firefox Nightly versions (e.g., 19.x) affected by this as well? (I’m assuming they are?)


  2. Sean wrote on :

    I’ve noticed precisely the same problem we had with the old UPDATE RELEASE. The first Major Number upgrade IS ALWAYS FLAWED, quickly followed by a patch. This is why we waited for two to three minors on the old system before jumping into the next major. Now we autoupdate into the busted version before we know if it works and really need to wait for the x.1 or x.0.1 version before accepting the next bit ‘o detritus.

  3. Andrew wrote on :

    Should any of the dev-team be reading this and haven’t been too disgusted to stop yet …

    Thank you for quickly informing us of the vulnerability and working quickly to patch it. I would much rather have a software vendor that educates its users instead of keeps them in the dark to save face.

    As Granjow mentioned, there could potentially be situations where the user has visited webpages whose URI’s contain credentials or other sensitive information. I also wouldn’t care to have knowledge such as who I bank with or what communication services I use known to malicious parties that would exploit this vulnerability.

    Keep up the great work, Devs!

  4. Mike wrote on :

    There is also another bug…..
    I tried to ‘upgrade’ to FF 16 on two machines, a standard PC and a Laptop – both running XP. After running the program, neither computer would re-boot on it’s own. After a long wait, I manually re-booted. Once booted, neither one had Firefox but, after a VERY long wait, the update eventually started. I may have to back to them and reload V15.0.1

  5. Andy wrote on :

    What is the status for the beta builds?
    I see that 16.0b6 is available on the website – is this affected?
    Also my firefox help/about just says version 16.0 so not sure what version of 16.x is affected.

  6. Bryan Price wrote on :

    Does this affect 17 and above (I’m running 19.0A1 right now myself…)?

    @Matt A. Tobin: As far as things go right now, I’m not seeing too much breakage of extensions.

    If you’re really worried about breakage, download a portable Firefox beta, and sync it with your current Firefox and see if everything works.

    1. mcoates wrote on :


      No this does not impact 17 and above.

  7. Vik wrote on :

    Firefox is still one of the most secure browsers out there. I look forward

  8. Henry wrote on :

    Are Firefox Beta and Aurora also affected?

    1. mcoates wrote on :

      No, as of today, Firefox Beta and Aurora are not vulnerable.

  9. May wrote on :

    > The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.
    Let me guess… Referer for wich website i’ve visited and javascript “document.location” in order to have acces to URL, wait… OMFG, every browsers are flawed! Women and children first!

  10. stoney wrote on :

    I just read the article in news about v16, i went to firefox help about firefox to see what version i was on, it said 15 but then immediately downloaded and installed 16. how and why if 16 was removed????

    1. mcoates wrote on :

      The updates are now live. That is why you have Firefox 16. If you go to the menu bar, click the Firefox menu and select About Firefox you should see version 16.0.1.

      More information on checking your version number and updating can be found here:

      1. stoney wrote on :

        cheers dude

    2. Valentin G. wrote on :

      Probably because it had already downloaded the update, but it did not install it yet. When you restarted your browser it switched over to the new version.

      IMO this was blown out of proporrion. Mozilla could have easily kept quiet about this, but they didn’t. Just because they wanted to protect their users.

      Hat off to Mozilla.

  11. Melvin Alvarez wrote on :

    ¿Complemento G Data CloudSecurity podría ser una solución para corregir esta vulnerabilidad?

  12. Critic wrote on :

    Since this vulnerability seems to be critical enough for mozilla to take those extreme measures,
    I urgently need more information on that issue!
    – What do you mean when you say “URL Parameters”?
    – Are there any websites known right now that would have exploited that vulnerability in the wild?
    – Do Websites which handle sensitive information (e.g. online banking, Apple, Apple ID, Apple iCloud, Google, Google Mail, Amazon etc.) nowadays save any of those information like passwords in the URL so that an attacker might have compromised my E-Mail Accounts, iCloud Backups etc?
    – Do users who have been using FF 16 for 3 days now have to change all their passwords?
    – How was a downgrade to help, since FF 15 has several other known security vulnerabilities?
    – How likely is the existence of an exploit of the FF 16-issue in the wild? Is it easy to implement such a thing into a commonly used website?

  13. Wolfgang D. wrote on :

    Thank you for your lightfast fix. Just installed 16.0.1

  14. Bob wrote on :

    Still no official 64-bit version for Win64? I’d consider this a bug 😉

  15. StephanieX wrote on :

    Stop complaining. Like business users, wait for a program to become stable before updating.

  16. Help wrote on :

    I just got the famous – “Blue Screen of Death”.

    Q: Could it have been a result of the vulnerability?

    1. mcoates wrote on :

      No, a blue screen would be completely unrelated to this issue.

  17. Andreas wrote on :

    A few observations from a non-nerd user:

    1. I have only learnt today through BBC World that the security problem with Firefox 16 exists, and that this blog exists.

    2. Download of 16.0.1 was initialled automatically tonight, but it has not been possible to positively countercheck on the regular website whether this is the old problematic version or the promised safe update.

    3. In your blog above, the two bullets under “Update (Oct 11, 2012)” are absolutely unclear with respect to the key information needed, namely whether the mentioned release of the update refers to the old unsafe or the new safe version.

    4. Further down mcoates posts a blog saying “The updates are now live. That is why you have Firefox 16. If you go to the menu bar, click the Firefox menu and select About Firefox you should see version 16.0.1. ” So that reads as if I now had Firefox 16 AND 16.0.1 at the same time. Key information still missing.

    In short, clarity and accessibility opf information in such an unfortunate situation would be the top priority for Mozilla – instead, the customer has to search for it and then it is gobbledegook … Not impressing!


    1. mcoates wrote on :


      Thank you for your comment. I’ve added the fixed version number to the update at the top of the post. 16.0.1 is the current version and contains the patch for the identified issue.


      1. Eurythrace wrote on :

        I’ve been a FF user since about FF 1.3 when it was new, but I’ve never seen anything like this most recent UPDATE. Can someone please explain why the UPDATE from FF 16.0 to FF 16.0.1 required ~21.7MB when the new install package for FF 16.0.1 is only ~17.3MB? Is there really that much compression in the install package? And did it really require what appears to be a complete refresh of the entire program to fix a “minor” security bug???

        Thanks in advance for your response.

        1. j-boo wrote on :

          urp. and if you check your update history after installing version 16.0.1, it’s been wiped.

  18. io wrote on :

    I use both, Chrome because has flash built-in, and use it with the integrated Google services, firefox without addons for security to browse the rest of the unsafe www, except for version 16.0 of course…

    I am browsing this page with chrome while updating ffx to 16.0.1, it doesn’t show up right, moved to ffx, it works.

    just saying

  19. tlr wrote on :

    captcha not working?

  20. j-boo wrote on :

    Confused. Firefox gave me an automatic update yesterday evening, I trusted them so I didn’t pay much attention. Just now saw article making me aware of the security problem, panic, because I know I was updated yesterday, and I know I visited some malicious sites (necessary evil). Still panicking, check my version, it says 15. Check my update history in firefox, it shows that version 16 was downloaded yesterday, but instead of Installed Successfully, it says Installation Pending. My firefox was up all night (fell asleep with it on), did they downgrade me back to 15 while I slept? Does the malicious website I visited after the automatic update yesterday now have all my passwords/urls for every other site I visited? Why was version 16 showing as downloaded but ‘Installation Pending’ in my update history, how did I get back to 15?
    So confused, I am but a humble caveman and I do not understand your strange modern devices. I hate technology and I wish we still lived in the dark ages. Automatic updates are off, off, off, FOR GOOD.

More comments: 1 2 3 4 5