Mozilla today confirmed the discovery of a security hole in Firefox 16 that could allow a malicious site to potentially determine which websites users have visited by accessing URL parameters. The organization says it has not seen any indication of the flaw being exploited in the wild but nevertheless has pulled the current Firefox 16 installer and plans to release a patch at an undisclosed time tomorrow (read: as soon as possible). Users will be automatically upgraded when the latest version is made available, the company has promised.
That’s right, while Firefox 16 users are not being downgraded to older versions, if you find yourself on an older version of Firefox still, you will no longer be upgraded to Firefox 16. Furthermore, if you navigate to mozilla.org/firefox right now, you’ll be told to download Firefox 15.0.1, the latest version which is not affected by this flaw. Despite the fact that Firefox 16 was released on Monday and officially launched on Tuesday, here’s what the Firefox homepage looks like on Wednesday:
At the time of writing, however, the Fully Localized Versions webpage still lists all the various flavors of Firefox 16 for Windows, Mac, and Linux. I think it’s fair to assume that Mozilla will soon replace these with Firefox 15, or Firefox 16.0.1, depending on how it chooses to use its resources.
It’s important to note that this is separate from the Firefox 16 add-on bug reported yesterday which Mozilla confirmed would be fixed in Firefox 17. It’s not clear if the company will try to sneak in a fix for this bug as well in tomorrow’s release.
Image credit: Miguel Saavedra.