On Tuesday, Mozilla released Firefox 16, which patched several bugs in the previous version of the open source browser. Unfortunately, the update also introduced a completely new security flaw, which caused the organization to stop offering the download temporarily.
On Mozilla’s security blog, Michael Coates, the organization’s director of security assurance, explained, “The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.” He also promised, “We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.”
In Computerworld, Gregg Keizer reported, “Coates did not note when Mozilla became aware of the new vulnerability, or how it was discovered. Notes from a Mozilla meeting yesterday, however, show the company was aware of it by 11 a.m. PT Wednesday, when it told developers that a ‘chemspill’ — Mozilla’s term for an emergency update — was necessary.”
“Mozilla said users may consider downgrading to version 15.0.1, and pointed them to the 15.0.1 download page,” wrote Ars Technica’s John Brodkin. He added, “Firefox 16 itself fixed 14 vulnerabilities in version 15, including 11 that could allow attackers to install software without any user interaction beyond normal browsing.”
The BBC noted that Firefox is “one of the three leading web browsers, with more than 450 million users worldwide.” It added, “In recent months, various figures suggested Chrome had overtaken Firefox’s market share, pushing the Mozilla Foundation’s flagship product into third place in the browser race.”