Mozilla pulls Firefox 16 over privacy problem

Just one day after releasing version 16 of Firefox, Mozilla pulled the latest update to its open source web browser, citing a security concern. In a blog post, Michael Coates, Mozilla's Director of Security Assurance, says that the developers discovered a vulnerability in the final 16.0 release which "could allow a malicious site to potentially determine which web sites users have visited and have access to the URL or URL parameters". The flaw appears to allow bad actors to acquire the user's history, which potentially contains information that could, for example, make it easier brute force the user's login credentials or expose a user's reading habits and interests.

Coates says that even though there are no indications that the security hole is being actively exploited in the wild, Mozilla has temporarily removed Firefox 16 from the current installer page and is no longer automatically upgrading existing users to the new version. Mozilla's Firefox web page and primary download site page now list version 15.0.1 as the latest release.

Users who have already upgraded to Firefox 16 can downgrade to version 15.0.1, which is not affected, as a precaution. However, it is worth noting that while it contains this new security flaw, Firefox 16 also closed a total of 14 security holes, 11 of which were rated as "Critical" by Mozilla. According to Coates, the developers are actively working on a fix, which they plan to release later today, 11 October.

Update 12:05 BST: Mozilla has released version 16.0.1 of Firefox for Android to correct the privacy vulnerability. The update also improves the mobile browser's stability on Android devices running CyanogenMod 10 (CM10). Updated desktop versions of Firefox are not yet available.