Mozilla Briefly Removes Firefox 16 Due to Security Flaw

In a blog post from 10.10.2012, Mozilla’s head of security assurance Michael Coates stated that Firefox 16 was temporarily taken out from the installer page because there are some security vulnerability issues. “The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters,” Coates said. “At this time we have no indication that this vulnerability is currently being exploited in the wild.”

“Coates did not say when Mozilla found the new vulnerability issues, or how they were discovered,” according to Computerworld’s Gregg Keizer. “Notes from a Mozilla meeting yesterday, however, show the company was aware of it by 11 a.m. PT Wednesday, when it told developers that a ‘chemspill’ — Mozilla’s term for an emergency update — was necessary.”

“With the Firefox 16 vulnerability makes it available for an attacker to view URLs and URL parameters, that means he or she could also harvest private information that’s passed in a querystring,” wrote Geek.com’s Lee Mathews. “That could include things like your private email address, physical address, and other sensitive data. And the risk is compounded if you happen to visit sites that aren’t very selective about what information they pass via a URL.”

“Firefox version 15 is unaffected, and as a precaution users can downgrade to version 15.0.1,” according to ITworld’s John Ribeiro. “Or they can wait until Mozilla’s patches are issued and automatically applied to address the vulnerability, Coates said. The new version of the browser was released on Tuesday and addressed a number of security vulnerabilities, including some considered critical.”