Security Issues Force Mozilla To Pull Firefox 16 One Day After Release
October 12, 2012

Mozilla Re-Releases Firefox 16 Update

Lee Rannals for — Your Universe Online

Update (OCT 12, 2012 11:30AM): Mozilla has released an update for Firefox 16, fixing flaws that left the new Web browser vulnerable to attacks.

The company took down its latest Firefox browser update after it was discovered that hackers could use a hole in the software to determine which websites users have visited.

Yesterday afternoon, Mozilla released the Firefox 16.0.1 upgrade to users, patching up the flaws.


Mozilla has pulled its latest Firefox browser down just a day after it was released, due to security concerns.

The company wrote in a blog post Wednesday night that it removed Firefox version 16 from the Mozilla installer page earlier Wednesday after a glitch was found that could allow hackers to view private search information.

“The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters,” Michael Coates, the director of security assurance, wrote in a blog post. “At this time we have no indication that this vulnerability is currently being exploited in the wild.”

Mozilla said it is working on a fix for the new browser and will be launching a new version of it on Thursday.

The company advised those who have already downloaded Firefox 16 to downgrade to the previous version of Firefox 15.0.1 by visiting its Firefox Web site.

If users do not want to downgrade they can also wait for the company to push out its next update for Firefox 16.

Mozilla pulled the update several hours after a JavaScript blogger made a post about how he was able to create a proof-of-concept code that forced Firefox 16 to identify a visitor's Twitter handle whenever the user was logged into the site.

The code sample only took about 10 seconds to reveal the username, and it wouldn't be hard for hackers to expand on that for more extravagant attacks.

"Looks like Firefox introduced a code change that allows a malicious webpage to run some JavaScript that can access the 'location' (the URL bar) of windows," Jeff Williams, a web application security expert and CEO of Aspect Security, wrote to Ars Technica. "So attackers can abuse this by using JavaScript to open other windows to protected websites. Then that JavaScript can access the URL and give it to the attacker. This should result in an 'Error: Permission denied' message, but FF16 allows it."