Security Vulnerability in Firefox 16

Update (Oct 11, 2012)
  • An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
  • A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Issue:
Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.

 

Impact:
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.

 

Status:
Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.  As a precaution, users can downgrade to version 15.0.1 by following these instructions [http://www.mozilla.org/firefox/new/].  Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.

 

Michael Coates
Director of Security Assurance

155 responses

  1. Daniel wrote on :

    Trolling?

    Really?

    Trolls can fuck themselves. Honestly Mozilla knows their shit… Chrome never has the experience nor the cohesion nor Firefox has.

    Firefox is by far the best and most solid web browser on Windows, it’s range on addons and design are far superior than Chrome. Already on 16.0.1

  2. Rajesh wrote on :

    Its October 12 IST and as of today Firefox is safe. Safest of all the browsers. Even chrome tracks everything, uploading data to their servers. I trust in Firefox !!

    SpreadFirefox.com

    Long live firefox !!.

  3. Andy Scott wrote on :

    I just checked ‘About Firefox’ to check I was on version 15. I was, but checking automatically triggered the install of 16. No way to stop it. Like j-boo, I’m never using automatic updates again.

  4. Joe King wrote on :

    Why has Mozilla stopped PGP-signing releases available under http://releases.mozilla.org/pub/mozilla.org/ for versions 16.x? Until 15.x every release had an accompanying signature. There are currently security challenges all over Mozilla it seems.

    1. mcoates wrote on :

      Joe,

      We are signing the sha512sum file:
      e.g.
      http://releases.mozilla.org/pub/mozilla.org/firefox/releases/16.0.1/SHA512SUMS
      and
      http://releases.mozilla.org/pub/mozilla.org/firefox/releases/16.0.1/SHA512SUMS.asc

  5. Jan Schejbal wrote on :

    Could you please post a link to bugzilla or anything else with more detailed information about the issue?

    1. Jesse Ruderman wrote on :

      https://bugzilla.mozilla.org/show_bug.cgi?id=799952 – Cross domain access to the location object

  6. Firefoxed wrote on :

    The following just blew my mind.

    There’s a link to this blog article on the release notes for 16.0.1:
    http://www.mozilla.org/en-US/firefox/16.0.1/releasenotes/

    When I click on the link on that page to this blog article, I get a rather startling error message:

    “Untrusted Connection […] You have asked Firefox to connect securely to blog.mozilla.org, but we can’t confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site’s identity can’t be verified. […] If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn’t continue.”

    So Firefox doesn’t trust Mozilla’s own security blog, and flags it as a potential security risk! C’mon guys, this doesn’t exactly inspire confidence! What the bleep’s going on here?!

    1. mcoates wrote on :

      I went through the steps you described and I don’t receive any certificate warning messages and the certificate chain is valid and trusted within Firefox. I confirmed this on a second machine as well.

      There is additional information at the following link on certificate errors.
      http://support.mozilla.org/kb/connection-untrusted-error-message

      1. Firefoxed wrote on :

        Many thanks for taking the time to respond mcoates – I appreciate it.

        I’m still getting the “This Connection is Untrusted” warning when I click on that link (which is the URL for this blog page prefixed with “https://”.

        In the technical details of the warning it says:

        blog.mozilla.org uses an invalid security certificate.

        The certificate is only valid for blog.mozilla.com

        (Error code: ssl_error_bad_cert_domain)

        There are a number of links on https://www.mozilla.org/en-US/firefox/16.0.1/releasenotes/ which begin with https://blog.mozilla.org/ and which all present the same issue. Just to let you know.

  7. Hans wrote on :

    Just installed it on Ubuntu 11.04. I noticed that the information from the tag of the first website you load will stay visible during the whole session. It doesn’t update when you surf elsewhere.

  8. osos wrote on :

    [dalaoqi@oshell 下载]$ firefox
    /usr/lib64/firefox/firefox: symbol lookup error: /usr/lib64/xulrunner/libxul.so: undefined symbol: PR_SetCurrentThreadName

  9. tony wrote on :

    Will the user agent string for 16.0.1 be fixed soon? Was never updated in the patch and still reads 16.0. Thanks!

    1. jh wrote on :

      The UA string was modified in firefox 16 and going forward to remove the patch level of the browser.

      This was done to reduce fingerprinting (how easily a site can uniquely identify a user) and for protection. Non patched browsers dont look different the patched browsers.

      For more information the bug is: https://bugzilla.mozilla.org/show_bug.cgi?id=572659

      1. tony wrote on :

        thanks for the reply, and that’s fine, i wasn’t referring to the Gecko patch level, but shouldn’t the user agent be:

        Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0.1

        Not:
        Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0

        That’s how it’s always been up until now. Without the .1 at the end there is no way to distinguish between a vulnerable 16.0 and a patched 16.0.1. How can network admins secure their networks against a vulnerable browser and force people to update to 16.0.1 without also blocking 16.0.1?

        Maybe I’m missing something.

      2. tony wrote on :

        I guess I may have misread your comment at first, it sounds like your are saying this has been done on purpose to avoid a site targeting certain browsers. I find this to be an interesting decision, and one that could hurt in the long run. Interested in seeing this pan out. I’m unfamiliar with how fast Firefox automatically patches, so hopefully these browsers stay updated.

        1. Eurythrace wrote on :

          I find the dropping of the minor version numbers in the UA to be of great relief. As pointed out in jh’s original response, it made fingerprinting website visitors much easier. Your decision to check for this info on your website is exactly WHY it was dropped. It was putting too much user info in the hands of “strangers”. It is up to the individual user to protect themselves, thank you very much. Caveat emptor.

          1. tony wrote on :

            Oh I understand, and I see why this is important from a home user perspective. I don’t own a website, but user agents are used to secure corporate networks by blocking vulnerable browsers. There is now no way to block users from using a vulnerable 16.0 without also blocking 16.0.1. I can see how majority of users are just home users and would benefit from this decision, but there are some downsides as well that affect people.

          2. tony wrote on :

            While I understand why this is true for the average user, this is not why I was concerned. I don’t have a website or wish to track this information. I am just point out that while this is good for the average home user, it is not good for corporate networks that wish to protect themselves against vulnerable browsers. A large network can’t block vulnerable browsers without also so blocking the patched ones. Knowing what version browser people are using can help alert people to patch and update their machines. Even Mozilla’s own website will have trouble knowing whether users are using the most up to date version of their product. There are both upsides and downsides to this decision.

            1. Eurythrace wrote on :

              Tony,

              Yes, a corporate INTRAnet is a totally different environment. If u really want to track potential browser vulnerabilities by version number, perhaps u can make a corporate agreement with Mozilla to retrieve the same info they must be sending when FF checks for updates. Perhaps a small special add-in/extension on the client side would suffice to inform your servers and alleviate your concerns.

              Cheers.

  10. Wilbur wrote on :

    It’s wasn’t just a security issue. Version 16.0 was completely dysfunctional. After 10 to 15 min, it would stop fetching websites and simple say “Looked up [domain name]” and then stop.

    Restarting it would recover… for 10 to 15 min and the problem would repeat.

    I checked for update (via Ubuntu) or bug reports on the lock up and found none. This morning I noticed that Firefox was using up 5.1 gigs of memory. There are and have been for a long time serious memory leak issues, but that was beyond the usual.

    Fortunately, Ubuntu had an update this morning, and after a couple hours of running firefix is only using 1 gig of memory. Though I suppose by the end of the day it will be up to 3 or 4 as usual.

    1. Ricz wrote on :

      first day on FF16, 9 hours of work, 103 different urls opened, 11 tabs still open, most with firebug or 3d view, running smoothly, “just” 231mb of ram so far on win7/i7/6gb ram, and a total of 15 minutes cpu time (skype used 37). Also used a couple of hours on ubuntu, and didn’t notice strange memory usage. Maybe the issue is with your system or super-super heavy pages or some extensions?

  11. Shailesh wrote on :

    Rapid Release gets new features into the hands of end-users faster, and is a necessity to compete with Google. We don’t want to go back to the old days of waiting 6-12 months for a new release, where lots of new features that were ready sooner would have to wait months for the release to see the light of day. Yes, occasionally, some nasty bugs will make it into the release, but that doesn’t seem to be much different from the way it was before. Mozilla needs to think about re-architecting the process security of Firefox the way Google Chrome has done, and then paying bounties for bugs, otherwise, Chrome is just going to pull away over time.

    1. The oldie wrote on :

      But they should perhaps be better tested. This release 16 and 16.0.1 has flickering menues running under Wn7 64 bit. I went back to 15… which is ok in this respect, but forgot to turn off auto updates…
      I have seen that this has been a problem for others also in eralier releases.

  12. Bryan Price wrote on :

    Sorry about the spam, but can I leave a message without the captcha security code?

    1. Jesse Ruderman wrote on :

      Apparently you can! I filed https://bugzilla.mozilla.org/show_bug.cgi?id=801313 on the missing captcha.

  13. msth67 wrote on :

    Such information should be publicized more rapidly and more evidently by Mozilla,I too would say than learning it from other web sources and than having to dig around for further enlightenment doesn’t look too good:what about also using Mozillazine to notify such unforeseen issues,and furthermore why not publicize the link to the bug,since at this point probably the folks who shouldn’t know in fact know already?

    1. pieroxy wrote on :

      Well, maybe it is just not a big deal since there is no exploit. One can think that an exploit is highly unlikely on a browser released 3 hours ago. And a patch that quickly makes it much more unlikely that an exploit will ever see the light of day.

  14. Seen wrote on :

    Really? so I get the popup to update, I update my firefox now I’m reading this and its telling me to downgrade

    1. mcoates wrote on :

      As of 12pm PT on Oct 11 the patched version (16.0.1) was distributed to all users. If you’ve upgraded since that time you will be on the patched version.

      More information on checking your version number and updating can be found here:
      http://www.mozilla.org/firefox/update/

  15. A pissed off user. wrote on :

    This release of information was handled very poorly.

    Next time something like this happens, you should post something on your main page indicating the problems. Be upfront. Do not hide it! That is how you lose TRUST!

    I updated to 16.0 when it was released. Went to do a few more machines the next morning and the update was gone, but I could find NO explanation why. Unacceptable.

    Should the type of handling in this situation present itself again, FF will be removed from all of my personal machines as well as from our Corporate network and I would be forced to recommend anyone I know that uses the internet, against using this product.

    1. Dave wrote on :

      you should also demand your a refund

      1. John Meloche wrote on :

        lol @ Dave. I agree! The fact he posted “pissed off customer” lol… customers pay money. I say, enjoy the fact you get such an incredible software free. Everyone faces problems. The fact that communication could be improved for the next time something happens doesn’t warrant being jerk in forum.

    2. Slightly Sarcastic wrote on :

      Pull your head out and take a deep breath of fresh air.
      Mozilla does not need to explain why they pulled the update, just be glad they did.
      You don’t want to post something like that on your “Front Page” because then you get people working hard to exploit it. That whole “TRUST” thing? Yea, Mozilla pulled the updates, worked on a patch, released a patch a day later. TRUST that they are indeed working hard to keep your browsing sessions as safe as they can.

      Threatening to “pull Mozilla from your personal and corporate machines” is about as whiny as you can get. You want Mozilla to pay you, too ? Put your money on a silver platter and butler it to your front door. ” Here you go sir, we are sorry for the screw up, won’t happen again.”
      Get real, bozo.

      The nerve of some people.

    3. gs wrote on :

      You get what you pay for.

      1. gharlane wrote on :

        atm I’m hard pressed to come up with the name of a browser you do have to pay for….. so your comment and attitude fall a bit flat.

    4. ffuser wrote on :

      @A pissed off user:
      When it comes to a mission critical or corporate networked computers:
      1. Never setup auto-update for any application or download / install updates
      2. Never install a newly released application or update the same day unless you are aware of the bug-fix etc. and have a good backup for a quick roll-back.
      3. Read release notes, new features, known issues etc. before applying the update
      4. Download the update and install it form a local source so all your versions are consistent and you have a backup copy of the update

      “Should the type of handling in this situation present itself again, FF will be removed from all of my personal machines as well as from our Corporate network ” – This happens with other applications as well… whats your solution? remove them and switch to another app?

  16. Aron wrote on :

    Since I’m absolutely in love with FF, I figured I might give the automatic update idea a go. Thankfully this incident came as a wake-up call, so while I’m not giving up on the good cause, I switched off automatic updates for good and started to make the effort to finally fine-tune my Opera as a backup – so yeah, good faith has been slightly shaken, I’ll be more careful before accepting any .0 version for sure. Good job churning out the fix quickly though, it restored some trust. Keep up the good work!

    1. Daniel Veditz wrote on :

      And what happens when you forget to check for updates manually every day? You’ll go days or weeks on an old version rather than the one day in this case. Not sure you’ve learned the right lesson from this incident.

  17. Ben Reaves wrote on :

    I learned about it from Marketplace Tech Report this morning and within half a day I see the update. I think this is pretty *good* response compared to other software vendors. Makes me want to stay, not switch

  18. zbravo wrote on :

    I really don’t know why do we have only major releases. Since what, version 4? I can only get major version number releases.

    I don’t think that would be the most correct approach. We should be at around version 6, probably with the change of looks to the “like-office” menu.

  19. mr peabody wrote on :

    How many of my current programs will no longer be supported? This seems to happen every time I allow one of these updates to install. Very frustrating.

  20. Jim wrote on :

    For a major web browser, the frequency of version releases is a bit over the top. How about dramatically lowering the frequency of releases, and getting things right? Besides, who wants to update every week?

    1. Jim Russell wrote on :

      I do.

More comments: 1 2 3 4 5