Firefox 16.0.0 suffers from a security vulnerability that could allow a malicious site to snoop at the list of websites that users have visited and access the URL or URL parameters. Although there was no indication that this vulnerability was being exploited in the wild, Mozilla decided to pull Firefox 16 until a patch could be written.
In the interim users could downgrade to version 15.0.1 or just wait until patches are issued and automatically applied to address the vulnerability, Michael Coates, director of security assurance at Mozilla said in a blog post.
Now Mozilla has released Firefox 16.0.1 to fix the flaw. It also released a patch for the Android versions which can be downloaded from the Google Play store.
An update posted to Mozilla’s blog said:
- An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
- A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Some users reacted angrily to the fiasco with lots of comments using words like “disappointed” and calls for users to switch to Chrome.
Firefox 16 security fixes
Excluding this last minute bug, Firefox 16 did fix a lengthy list of Critical security vulnerabilities most of which were deemed as Critical. A Critical vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing. The full list of fixes including those to 16.0.1 is:
- MFSA 2012-89 defaultValue security checks not applied
- MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)
- MFSA 2012-87 Use-after-free in the IME State Manager
- MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
- MFSA 2012-85 Use-after-free, buffer overflow, and out-of-bounds read issues found using Address Sanitizer
- MFSA 2012-84 Spoofing and script injection through location.hash
- MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
- MFSA 2012-82 top object and location property accessible by plugins
- MFSA 2012-81 GetProperty function can bypass security checks
- MFSA 2012-80 Crash with invalid cast when using instanceof operator
- MFSA 2012-79 DOS and crash with full screen and history navigation
- MFSA 2012-78 Reader Mode pages have chrome privileges
- MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
- MFSA 2012-76 Continued access to initial origin after setting document.domain
- MFSA 2012-75 select element persistance allows for attacks
- MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
In that list is an item for “Use-after-free, buffer overflow, and out-of-bounds read issues found using Address Sanitizer”. Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team notified Mozilla about a series of memory issues that are potentially exploitable, allowing for remote code execution.