Security Experts:

Mozilla Yanks Firefox Version 16 Over Security Vulnerability

Mozilla has removed the latest version of their FireFox Web browser just over a day after it was released, due to a vulnerability that was discovered after it had shipped.

The action was dismissed by many, simply an example of a organization protecting users by fixing a flaw. However, opponents of their new release schedule say this most recent event could have been prevented with proper checking.

Michael Coates, the director of security assurance for Mozilla, made the announcement of the decision to pull the latest build of Firefox on the organization’s security blog on Wednesday.

“Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available,” he wrote.

“The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters," he continued. "At this time we have no indication that this vulnerability is currently being exploited in the wild. We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.”

As of 0400 EST on Thursday, version 16.0 of the popular Web browser was still unavailable; all channels reporting that 15.0.1 as the latest stable build.

Matt A. Tobin, leaving a comment on Mozilla’s security blog, criticized their rapid release initiative, saying that he was disappointed. His remarks mirror many pundits who were against the move to push releases to the public at a quicker pace.

“With features and code being backed out you are left with mixing of new and old code which presents unpredictable results in the so called 'Final' product which has affected stability and reliability in the browser since Firefox 5 began the trend," Tobin wrote. "Obviously this was a marketing decision made with no regard for code stability or testing. It is and has harmed firefox (sic) so much more than the apparent slowness of the previous release cycle ever did."

Tobin closed his remarks by giving a nod to a recent fork of Firefox dubbed Pale Moon. Mozilla did not respond to his remarks.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.