Firefox 16 Re-Released After Serious Security Flaw Is Patched

 
 
By Todd R. Weiss  |  Posted 2012-10-12
 
 
 

The Firefox 16 Web browser is again available for downloads and installation, less than 24 hours after Mozilla removed the latest Firefox browser from its downloads page due to the discovery of a serious security flaw Oct. 10.

The problem that caused Mozilla to pull Firefox 16 back from its distribution and update channels is reported to involve a vulnerability that "could allow a malicious site to potentially determine which Websites users have visited and have access to the URL or URL parameters," Michael Coates, director of security assurance for Mozilla, wrote in an Oct. 10 post on the Mozilla Security Blog. Coates said that Mozilla didn't believe that the vulnerability was yet being exploited through online attacks.

Coates' blog post was updated Oct. 11 to report that the security vulnerability had been repaired and patched. In his original post, Coates advised users that the patched version would be released the next day—a deadline that Mozilla did meet.

"An update to Firefox for Windows, Mac and Linux was released at 12 p.m. PT on Oct 11," Coates wrote. "Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1)."

The updated and repaired Firefox 16 version for Android was released at 9 p.m. PT Oct 10, according to Coates. Version 15 of the browser was not affected by the security flaw.

The repair cycle began Oct. 10 when Firefox 16 was abruptly removed from the company's downloads page after a serious security vulnerability was discovered a day after its original Oct. 9 release, according to Coates' original blog post.

Mozilla's reaction to the flaw was apparently to take no chances and to pull the new release back so it could be fixed.

About two dozen Firefox users posted comments about the problem, in response to Coates' blog post.

"Once this is fixed (hopefully soon!), I would really appreciate some more details as the description of the security flaw is indeed quite vague," wrote a user who identified himself as Martin. "What exactly could have happened in the worst-case scenario?"

Another user, Scouter Scot, wrote: "This is a shame. Not the security violation, but rather Mozilla's brand of notification. How many millions of users are moms, kids, or NFPs that don't know or care to know this site or those like it exist? Who notifies them, Mozilla? If a Google+ user hadn't mentioned it in passing, I never would have known."

A user identified as Boka wrote: "I will wait for 16.0.1."

Another user, Ant, agreed, writing: "I guess the decades-old saying still holds, 'Never install a point-O version.'"

User Vik remained confident, despite the problem, writing that: "Firefox is still one of the most secure browsers out there."

Another user, Wilbur, however, was pretty annoyed with Firefox 16 from the start. "It wasn't just a security issue," wrote Wilbur. "Version 16.0 was completely dysfunctional. After 10 to 15 min., it would stop fetching Websites and simply say "Looked up [domain name]" and then stop. Restarting it would recover … for 10 to 15 min. and the problem would repeat."

The original Firefox 16 release unveiled by Mozilla Oct. 9 was touted by the company for having several new features, including default VoiceOver support on Mac OS X, as well as initial Web app support for Windows, Mac and Linux. Also included were 16 bug fixes, including 11 that were rated as critical and three that were rated as high impact.

Firefox browsers hold about 20.1 percent of the global browser market, compared to 53.6 percent for Microsoft's Internet Explorer browser, according to September figures from Web analysis firm Net Applications. Google's Chrome holds 18.9 percent, while Safari has about 5.3 percent.

Mozilla's previous browser, Firefox 15, debuted in August and included code fixes for memory leaks and new support for the Opus video format.

Rocket Fuel