Firefox shipped version 16 earlier this week.
I use the Check for updates but let me choose whether to install them option, but Firefox hadn’t said anything to me about 16.
So I checked by hand – something I like doing every couple of days, even though it’s not supposed to be necessary – using the About Firefox option.
According to Firefox, I was up to date at 15.0.1.
That left me wondering how come I’d heard about 16.0, so I went to the Systems and Languages Firefox download page, also known as the all versions page. There it was, version 16.0.
So I downloaded 16.0 and installed it over my 15.0.1. A fresh install is hardly any more trouble than an update, so why not be ahead of the curve?
Turns out that there’s a good reason, which couldn’t have been less obvious: 16.0 has been “temporarily removed from the installer page” due to a security hole, documented on Mozilla’s security blog (but not on the regular blog, which seems rather an oversight):
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.
If, like me, you always go to the all versions page, which is handy if you run more than one operating system, or want to choose a specific language version, you’ll have been offered 16.0 and no other. And if you’ve already upgraded to 16.0, you’d be forgiven for not realising that there’s a security problem at all.
Whether I manually check for updates or go to the default download page, there’s nothing to suggest that I ought to downgrade from 16.0:
To go back to 15.0.1, you have to go to the new download page. That does offer you 15.0.1, to which you’re recommended to downgrade. Until tomorrow, when version 16 should be released and you can upgrade the downgrade of your upgrade:
Confused? Sorry about that.
If you haven’t yet updated from 15.0.1, you’re fine. If you already have version 16.0, grab 15.0.1 from the new link and install it over the no-longer-the-newest 16.0.
Once you’ve downgraded, you’ll get another Hooray! page. This time you will be up to date – for a while, anyway.
And if you’re not yet on either 16.0 or 15.0.1, you probably need to have a little chat to yourself about updating in general.
Although this latest issue reminds us that it’s occasionally problematic to be too far ahead of the curve, it’s always risky to be behind.
Update: When I checked at 2012-10-11T23:53+11, the all versions page had been changed back so every OS version in every language was at 15.0.1.