Risk

10/11/2012
11:06 AM
50%
50%

Mozilla Suspends Firefox 16 Downloads: Serious Bug

Mozilla warns that Firefox 16 contains significant vulnerability, plans to offer patched version for download as soon as possible.

Just one day after releasing Firefox 16, Mozilla Wednesday suspended downloads of the new software after it discovered a security vulnerability in the browser.

In a security warning, Firefox director of security assurance Michael Coates, said that "the vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters." But he said that Mozilla had seen no evidence that the bug was being exploited by in-the-wild attacks.

Even so, "Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available," said Coates. Furthermore, he noted that "as a precaution, users can downgrade to version 15.0.1," though he said that any current version 16 installations would be automatically updated after the patch gets issued.

Mozilla plans to issue a patched version of Firefox 16 Thursday.

[ Security threats are growing. Read Web API Allows Phishing Attack. ]

In the interim, however, is downgrading to Firefox 15.1 wise? According to vulnerability information provider Secunia, Firefox 15.x contains numerous "highly critical" vulnerabilities that could allow an attacker to remotely bypass the browser's security controls, execute a cross-site scripting attack, spoof websites, crash the browser, or access a user's system. All told, it said there are 23 issues, which remain--as yet--unpatched in version 15, though Mozilla reported fixing 14 known vulnerabilities in version 16.

According to market watcher Net Applications, as of September 2012, Firefox controlled 20% of the desktop browser market, putting it behind Internet Explorer (54%), but ahead of other rivals, including Chrome (19%), Safari (5%), and Opera (2%).

In other security-related browser news, the Electronic Frontier Foundation (EFF) Monday, together with the Tor Project, announced the release of HTTPS Everywhere version 3.

The privacy tool, which is a browser add-on, forces an encrypted HTTPS connection on any website that offers users a choice between HTTP and HTTPS. "Many sites on the Web offer some limited support for encryption over HTTPS, but make it difficult to use," according to the HTTPS Everywhere download page. "For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using a clever technology to rewrite requests to these sites to HTTPS."

Despite the branding, however, the tool won't work everywhere, although it does now work with 1,500 sites--or about twice as many as with the previous version--and gets used by about 2.5 million people. "Our current estimate is that HTTPS Everywhere 3 should encrypt at least a hundred billion page views in the next year, and trillions of individual HTTP requests," said EFF technology projects director Peter Eckersley in a blog post.

So far, stable versions of HTTPS Everywhere have only been available for Firefox. But the EFF and Tor, together with a group of volunteers, are developing a version for Chrome and Chromium, though it's not yet ready for public release.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/11/2012 | 8:28:51 PM
re: Mozilla Suspends Firefox 16 Downloads: Serious Bug
This bug has been fixed already. Please post an update to the article..
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/12/2012 | 10:28:29 AM
re: Mozilla Suspends Firefox 16 Downloads: Serious Bug
UPDATE
Mozilla pushed an update for Firefox (16.0.1) at 3pm ET Thursday. This Mozilla security bulletin has more details.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.