Mozilla’s new Firefox 16 Web browser was abruptly removed from the company’s downloads page on Oct. 10 after a serious security vulnerability was discovered a day after its release.
The download removal was announced by Michael Coates, director of security assurance for Mozilla, in a post on the Mozilla Security Blog.
“Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16),” wrote Coates. “We are actively working on a fix and plan to ship updates [Oct. 11]. Firefox version 15 is unaffected.”
The problem that caused Mozilla to pull Firefox 16 back from its distribution and update channels is reported to involve a vulnerability that “could allow a malicious site to potentially determine which Websites users have visited and have access to the URL or URL parameters,” wrote Coates. “At this time, we have no indication that this vulnerability is currently being exploited in the wild.”
Mozilla, however, is apparently taking no chances and made the move to pull the new release back so it could be fixed.
“Firefox 16 has been temporarily removed from the current installer page, and users will automatically be upgraded to the new version as soon as it becomes available,” wrote Coates. “As a precaution, users can downgrade to version 15.0.1 by following these instructions [http://www.mozilla.org/firefox/new/]. Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.”
Charles King, principal IT analyst with Pund-IT, said the fast reaction by Mozilla is an “indication of how seriously security issues are affecting people these days.”
The quick decision to turn around and pull the Firefox 16 release showed that Mozilla wanted to be proactive about the problem, he said. The company’s quick response was unusual, he added.
“It’s a different security world today than it was three or four years ago,” said King. “A company can sustain enormous damage if they don’t act quickly on what they believe can affect their customers.”
Ironically, Mozilla has recently been very vocal about security fixes it had made in the previous version of Firefox, Version 15, said King.
The quick yanking of Firefox 16 is likely “embarrassing” for Mozilla, but a wise move, said King. “Better short-term embarrassment that you can write off as being to the benefit of your customers, rather than have to apologize six weeks down the line.”
A Mozilla spokesperson did not immediately respond to a request for further comment about the latest security vulnerability.
The latest Firefox 16 release was unveiled by Mozilla on Oct. 9 and was touted by the company for having several new features, including default VoiceOver support on Mac OS X, as well as initial Web app support for Windows, Mac and Linux. Also included were 16 bug fixes, including 11 that were rated as critical and three that were rated as high impact.
Firefox browsers hold about 20.1 percent of the global browser market, compared to 53.6 percent for Microsoft’s Internet Explorer browser, according to September 2012 figures from Web analysis firm Net Applications. Google’s Chrome holds 18.9 percent, while Safari has about 5.3 percent.
Mozilla’s previous browser, Firefox 15, debuted in August and included code fixes for memory leaks and new support for the Opus video format.
In July, Firefox 14 added default support for a secure HTTPS connection when conducting Google searches, a feature that improves security and privacy for users.