Firefox browser in upgrade-downgrade confusion with version 16

Filed Under: Featured, Firefox, Vulnerability

Firefox shipped version 16 earlier this week.

I use the Check for updates but let me choose whether to install them option, but Firefox hadn't said anything to me about 16.

So I checked by hand - something I like doing every couple of days, even though it's not supposed to be necessary - using the About Firefox option.

According to Firefox, I was up to date at 15.0.1.

That left me wondering how come I'd heard about 16.0, so I went to the Systems and Languages Firefox download page, also known as the all versions page. There it was, version 16.0.

So I downloaded 16.0 and installed it over my 15.0.1. A fresh install is hardly any more trouble than an update, so why not be ahead of the curve?

Turns out that there's a good reason, which couldn't have been less obvious: 16.0 has been "temporarily removed from the installer page" due to a security hole, documented on Mozilla's security blog (but not on the regular blog, which seems rather an oversight):

The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.

If, like me, you always go to the all versions page, which is handy if you run more than one operating system, or want to choose a specific language version, you'll have been offered 16.0 and no other. And if you've already upgraded to 16.0, you'd be forgiven for not realising that there's a security problem at all.

Whether I manually check for updates or go to the default download page, there's nothing to suggest that I ought to downgrade from 16.0:

To go back to 15.0.1, you have to go to the new download page. That does offer you 15.0.1, to which you're recommended to downgrade. Until tomorrow, when version 16 should be released and you can upgrade the downgrade of your upgrade:

Confused? Sorry about that.

If you haven't yet updated from 15.0.1, you're fine. If you already have version 16.0, grab 15.0.1 from the new link and install it over the no-longer-the-newest 16.0.

Once you've downgraded, you'll get another Hooray! page. This time you will be up to date - for a while, anyway.

And if you're not yet on either 16.0 or 15.0.1, you probably need to have a little chat to yourself about updating in general.

Although this latest issue reminds us that it's occasionally problematic to be too far ahead of the curve, it's always risky to be behind.

Update: When I checked at 2012-10-11T23:53+11, the all versions page had been changed back so every OS version in every language was at 15.0.1.


, , , ,

You might like

20 Responses to Firefox browser in upgrade-downgrade confusion with version 16

  1. @undefined · 1097 days ago

    I assume this issue also exists for SeaMonkey 2.13 given its based on the same code?

  2. Tinker · 1097 days ago

    This is horrible advice. According to Firefox 15.0.1 has multiple vulnerabilities, and it is considered end-of-life. The right thing to do is not using Firefox at all, until they fix the issue in Firefox 16.

    • Chester Wisniewski · 1097 days ago

      That is a bit harsh. The Mozilla team decided to roll back and they are the experts with regards to this situation. They expect to have a new version of 16 available tomorrow, so it is only a temporary measure.

    • billblagger · 1097 days ago

      "At this time we have no indication that this vulnerability is currently being exploited in the wild."

    • Paul Ducklin · 1097 days ago

      To be perfectly fair, Secunia doesn't say anything about 15.0.1. They simply lump everything into 15.x, without bothering to indicate what was fixed between .0 and .0.1, which suggests that they aren't precisely tracking the holes in Firefox themselves.

      Indeed, as far as I can see, Secunia's advisory is just Mozilla's own information and advice, taken from Mozilla's 16.0 release notes of 09 October 2012, and republished on 10 October 2012.

      Ergo, if you accepted Secunia's advice from yesterday to advance to 16.0, you might as well accept Mozilla's advice today to retreat to 15.0.1, as the ultimate source of both pieces of advice seems to be the same - Mozilla.

  3. Digital Adrian · 1097 days ago

    How about Ubuntu? The options described above won't work as firefox is neatly downloaded and installed via the ubuntu repositories.

  4. Digital Adrian · 1097 days ago

    Guess I only have to survive 1 day, then an update will come.

  5. Paul · 1097 days ago

    I'm on Ubuntu, and running the Update Manager has just given me an upgrade to Firefox 16.0.1

  6. David · 1096 days ago

    But if you go to the "new" link, you get offered the default language English (US). How different this is from English (UK) I am not sure - but I suspect it is more different for other languages!

    Out of interest have any of the for-profit browser developers ever launched a buggy upgrade, admitted it and back-graded? Should a public back-grade actually give us more confidence in a browser developer?

    • David · 1096 days ago

      I notice (12:00 BST) that the languages pages is now back-graded to 15.0.1

      Interestingly Thunderbird 16.0 is being offered - does it suffer from the same problem - webpages can open in the email client.

    • Paul Ducklin · 1096 days ago

      As updated in the article body, at 2011-10-11T23:53+11, the "all versions" page had 15.0.1 throughout - not a 16.0 in sight :-)

      As for a public did make me feel that someone was trying to give me the best advice for me, not to tread a path that was the easiest for them.

  7. Bob · 1096 days ago

    And if you had just let FireFox update itself, you would have been okay!



  8. Bovlk · 1096 days ago

    "The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters."

    Does this include even auth cookies and/or message body? If not, I don't visit any pages with critical data passed in URL so I expect to be quite safe as long as I beware of such sites.

    So how does this compare to the list of security vulnerabilities fixed in v16:

    MFSA 2012-87 Use-after-free in the IME State Manager

    MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer

    MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer

    MFSA 2012-84 Spoofing and script injection through location.hash

    MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties

    MFSA 2012-82 top object and location property accessible by plugins

    MFSA 2012-81 GetProperty function can bypass security checks

    MFSA 2012-80 Crash with invalid cast when using instanceof operator

    MFSA 2012-79 DOS and crash with full screen and history navigation

    MFSA 2012-78 Reader Mode pages have chrome privileges

    MFSA 2012-77 Some DOMWindowUtils methods bypass security checks

    MFSA 2012-76 Continued access to initial origin after setting document.domain

    MFSA 2012-75 select element persistance allows for attacks

    MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

  9. Laurence Marks · 1096 days ago


    First you test. Then you ship. Why is this so hard for programmers to figure out?

    • Kat · 1096 days ago

      They probably did test, just just didn't find the flaw until it was too late to avoid eating crow. Vulnerability testing is hard. You have to look at a piece of code, figure out what it does, and then figure out how to use that for evil. Creativity often takes time.

  10. Paul · 1096 days ago

    16.0.1 has been released, panic over :o)

  11. Richard Steven Hack · 1096 days ago

    These days, at Mozilla, "QA" means "Quit Asking for quality"...

  12. Derek · 1095 days ago

    Now the website offers to download 16.0? Does that mean they fixed it by now? Cuz the link the op provided on his article took me directly to 16.0 and it looks like maybe Firefox fixed it?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog