X

Mozilla rereleases Firefox 16 after fixing critical flaw

Browser was pulled from download after only a day, to fix bug that could reveal which Web sites a user had visited.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Firefox

Mozilla released a new version of Firefox (Windows, Mac) today, one day after yanking the Web browser to address security flaws.

Firefox 16 was pulled off Mozilla's installer page yesterday, just one day after its release, to fix a vulnerability that could have allowed a malicious site to identify which Web sites a user had visited, said Michael Coates, Mozilla's director of Security Assurance. The flaw was publicly disclosed yesterday by security researcher Gareth Heyes, who published proof-of-concept code to demonstrate the vulnerability.

Though Mozilla said it had no evidence that the vulnerability was being exploited in the wild, the company recommended that users who had upgraded to version 16 downgrade to version 15.0.1, which was deemed unaffected by the flaw.

At noon today, the new version -- Firefox 16.0.1 -- was released to Mozilla's upgrade servers and was pushed to users who had previously downloaded Firefox 16. A fix for the Android version of Firefox was released last night.

Mozilla also provided more information about the nature of the flaw, which it rated as critical.

"Mozilla security researcher 'moz_bug_r_a4' reported a regression where security wrappers are unwrapped without doing a security check in defaultValue()," Mozilla said in an accompanying advisory. "This can allow for improper access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution."

The new version of the Web browser landed Tuesday with support for HTML5, indicating that Mozilla has decided it has matured enough to run in the browser without causing instability. The new version includes CSS3 Animations; Transforms; Transitions; Image Values; Values and Units; and IndexedDB.