Sophos Cloud Optix
Firefox shipped version 16 earlier this week.
I use the Check for updates but let me choose whether to install them option, but Firefox hadn’t said anything to me about 16.
So I checked by hand – something I like doing every couple of days, even though it’s not supposed to be necessary – using the About Firefox option.
According to Firefox, I was up to date at 15.0.1.
That left me wondering how come I’d heard about 16.0, so I went to the Systems and Languages Firefox download page, also known as the all versions page. There it was, version 16.0.
So I downloaded 16.0 and installed it over my 15.0.1. A fresh install is hardly any more trouble than an update, so why not be ahead of the curve?
Turns out that there’s a good reason, which couldn’t have been less obvious: 16.0 has been “temporarily removed from the installer page” due to a security hole, documented on Mozilla’s security blog (but not on the regular blog, which seems rather an oversight):
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.
If, like me, you always go to the all versions page, which is handy if you run more than one operating system, or want to choose a specific language version, you’ll have been offered 16.0 and no other. And if you’ve already upgraded to 16.0, you’d be forgiven for not realising that there’s a security problem at all.
Whether I manually check for updates or go to the default download page, there’s nothing to suggest that I ought to downgrade from 16.0:
To go back to 15.0.1, you have to go to the new download page. That does offer you 15.0.1, to which you’re recommended to downgrade. Until tomorrow, when version 16 should be released and you can upgrade the downgrade of your upgrade:
Confused? Sorry about that.
If you haven’t yet updated from 15.0.1, you’re fine. If you already have version 16.0, grab 15.0.1 from the new link and install it over the no-longer-the-newest 16.0.
Once you’ve downgraded, you’ll get another Hooray! page. This time you will be up to date – for a while, anyway.
And if you’re not yet on either 16.0 or 15.0.1, you probably need to have a little chat to yourself about updating in general.
Although this latest issue reminds us that it’s occasionally problematic to be too far ahead of the curve, it’s always risky to be behind.
Update: When I checked at 2012-10-11T23:53+11, the all versions page had been changed back so every OS version in every language was at 15.0.1.
–
I assume this issue also exists for SeaMonkey 2.13 given its based on the same code? http://www.seamonkey-project.org/releases/seamonk…
This is horrible advice. According to http://secunia.com/advisories/50856/ Firefox 15.0.1 has multiple vulnerabilities, and it is considered end-of-life. The right thing to do is not using Firefox at all, until they fix the issue in Firefox 16.
That is a bit harsh. The Mozilla team decided to roll back and they are the experts with regards to this situation. They expect to have a new version of 16 available tomorrow, so it is only a temporary measure.
“At this time we have no indication that this vulnerability is currently being exploited in the wild.”
https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
To be perfectly fair, Secunia doesn't say anything about 15.0.1. They simply lump everything into 15.x, without bothering to indicate what was fixed between .0 and .0.1, which suggests that they aren't precisely tracking the holes in Firefox themselves.
Indeed, as far as I can see, Secunia's advisory is just Mozilla's own information and advice, taken from Mozilla's 16.0 release notes of 09 October 2012, and republished on 10 October 2012.
Ergo, if you accepted Secunia's advice from yesterday to advance to 16.0, you might as well accept Mozilla's advice today to retreat to 15.0.1, as the ultimate source of both pieces of advice seems to be the same – Mozilla.
How about Ubuntu? The options described above won't work as firefox is neatly downloaded and installed via the ubuntu repositories.
Guess I only have to survive 1 day, then an update will come.
I'm on Ubuntu, and running the Update Manager has just given me an upgrade to Firefox 16.0.1
Not yet arrived here . . .
After a good night's sleep it has arrived, hooray!
But if you go to the "new" link, you get offered the default language English (US). How different this is from English (UK) I am not sure – but I suspect it is more different for other languages!
Out of interest have any of the for-profit browser developers ever launched a buggy upgrade, admitted it and back-graded? Should a public back-grade actually give us more confidence in a browser developer?
I notice (12:00 BST) that the languages pages is now back-graded to 15.0.1
Interestingly Thunderbird 16.0 is being offered – does it suffer from the same problem – webpages can open in the email client.
As updated in the article body, at 2011-10-11T23:53+11, the "all versions" page had 15.0.1 throughout – not a 16.0 in sight 🙂
As for a public back-grade…it did make me feel that someone was trying to give me the best advice for me, not to tread a path that was the easiest for them.
And if you had just let FireFox update itself, you would have been okay!
Regards,
RWS
“The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.”
Does this include even auth cookies and/or message body? If not, I don’t visit any pages with critical data passed in URL so I expect to be quite safe as long as I beware of such sites.
So how does this compare to the list of security vulnerabilities fixed in v16:
http://www.mozilla.org/security/known-vulnerabili…
MFSA 2012-87 Use-after-free in the IME State Manager
MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
MFSA 2012-84 Spoofing and script injection through location.hash
MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
MFSA 2012-82 top object and location property accessible by plugins
MFSA 2012-81 GetProperty function can bypass security checks
MFSA 2012-80 Crash with invalid cast when using instanceof operator
MFSA 2012-79 DOS and crash with full screen and history navigation
MFSA 2012-78 Reader Mode pages have chrome privileges
MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
MFSA 2012-76 Continued access to initial origin after setting document.domain
MFSA 2012-75 select element persistance allows for attacks
MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
READY, FIRE, AIM !
First you test. Then you ship. Why is this so hard for programmers to figure out?
They probably did test, just just didn't find the flaw until it was too late to avoid eating crow. Vulnerability testing is hard. You have to look at a piece of code, figure out what it does, and then figure out how to use that for evil. Creativity often takes time.
16.0.1 has been released, panic over :o)
These days, at Mozilla, "QA" means "Quit Asking for quality"…
Now the website offers to download 16.0? Does that mean they fixed it by now? Cuz the link the op provided on his article took me directly to 16.0 and it looks like maybe Firefox fixed it?