Forgot your password?
typodupeerror
Firefox Mozilla Security Upgrades IT News

Firefox 16 Pulled To Address Security Vulnerability 165

Posted by timothy
from the cautious-cautious dept.
Shortly after the release of the newest major version of Firefox, an anonymous reader writes with word that "Mozilla has removed Firefox 16 from its installer page due to security vulnerabilities that, if exploited, could allow 'a malicious site to potentially determine which websites users have visited' ... one temporary work-around, until a fix is released, is to downgrade to 15.0.1"
This discussion has been archived. No new comments can be posted.

Firefox 16 Pulled To Address Security Vulnerability

Comments Filter:
  • Wow, I'm still using FF 3.6.12. I must have fallen into a time wrap bubble... What year is this?

    • by Anonymous Coward on Thursday October 11, 2012 @08:57AM (#41618197)

      Finally Firefox got legal in my state.

    • If you have been anywhere near any tech site in the last year or more, you would know that firefox has gone mad with the numbering scheme. So, either you've been offline for longer than usual, or are trolling mozilla.
      • It's simply replicating Chrome's numbering scheme. The idea that a higher version number is a better product is still ingrained in people's heads for some reason.
      • Re: (Score:3, Insightful)

        by buck-yar (164658)

        Their numbering scheme makes it look like they're not fixing anything, just releasing on a whim. Then this...

        • Re:Firefox *16*!? (Score:5, Informative)

          by tuppe666 (904118) on Thursday October 11, 2012 @09:31AM (#41618505)

          Their numbering scheme makes it look like they're not fixing anything, just releasing on a whim. Then this...

          The delayed release contains a new Developer Command Line, unprefixes a number of stable features including: CSS3 Animations, Transitions, Transforms, Image Values, IndexedDB and Values and Units. Firefox also unprefixes Battery API and Vibration API, two Web APIs. [Mac users will find that preliminary support for the VoiceOver screen reader]

          It also fixes for numerous critical vulnerabilities. Holes associated with a full 14 security advisories were closed in the new Firefox 16, in fact, 11 of them rated “critical.” [memory corruption and memory safety hazards, a buffer overflow bug, and a spoofing and script-injection flaw]

          That sounds like enough to more than enough to justify a release. The fact that they have pulled its release for security reasons, seams pretty sensible to be.

      • Re:Firefox *16*!? (Score:4, Interesting)

        by mcgrew (92797) * on Thursday October 11, 2012 @09:13AM (#41618351) Homepage Journal

        So, either you've been offline for longer than usual, or are trolling mozilla.

        If he were trolling Mozilla he would have said "here's the patch!" and linked the IE download page. Um, did the IE vuln get fixed yet? Opera is looking better and better!

        • by L4t3r4lu5 (1216702) on Thursday October 11, 2012 @10:23AM (#41619055)

          If he were trolling Mozilla he would have said "here's the patch!" and linked the IE download page. Um, did the IE vuln get fixed yet? Opera is looking better and better!

          You can prise Mosaic from my cold, dead, Compaq Presario PC with 200MB hard drive and Pentium MMX CPU!

        • by lxs (131946)

          Opera is looking better and better!

          But Opera is only on version 12.02!

        • So, either you've been offline for longer than usual, or are trolling mozilla.

          If he were trolling Mozilla he would have said "here's the patch!" and linked the IE download page. Um, did the IE vuln get fixed yet? Opera is looking better and better!

          Yep within in 24 hours. IE may have a much slower release schedule and be behind in some area's but it is not IE 6 anymore. It is an ok browser and certainly usable after IE 9 and IE 10 is very competitive to Chrome and FF believe it or not. Since MS takes security seriously they have improved it and have a security response team similiar to Google's and Symantecs.

          You can hate Windows still but I do give them an applause they have been very actice shutting down malware networks.

      • Re:Firefox *16*!? (Score:5, Insightful)

        by BenJury (977929) on Thursday October 11, 2012 @09:14AM (#41618355)
        Why is it 'mad'? I don't understand why people have such issues with this. Its just a damn number. If it really irks you so much just add a decimal point to the start of it in your head and move on.
        • by BenoitRen (998927)

          Obviously people have an issue with this because it's not just a number.

        • by Anonymous Coward

          Never, ever, did I hear these fossils complain about the version numbering of the web browser of their darling ad broker.

          Firefox does it, bang, default complaints with every release.

        • Re:Firefox *16*!? (Score:5, Insightful)

          by dietdew7 (1171613) on Thursday October 11, 2012 @09:51AM (#41618725)
          It's mad because we never know whether we're getting a patch with a few bug fixes or a completely different UI. I guess I'm mostly annoyed that Mozilla and other software producers feel the need to make-over their UI every six months. It feels like change just for the sake of change.
          • by mattOzan (165392)

            Firefox Extended Service Release (ESR) is available for those who require consistency in the UI for a longer term.

            http://www.mozilla.org/en-US/firefox/organizations/.

            Major version releases are only every 12 months. There is a minor patch release every six weeks which coincides with "normal" Firefox version updates. All security patches are deployed to both release channels, but feature enhancements are not deployed to the ESR channel between major version releases..

            • by X0563511 (793323)

              Is there some reason this isn't the "default" distribution of it then? Nobody but QA testers and gentoo fans should be using the other one.

          • by sjames (1099)

            Then use the ESR and be happy. It's been a few years now since developers reliably used the major.minor.sub-minor versioning.

        • Why is it 'mad'? I don't understand why people have such issues with this. Its just a damn number. If it really irks you so much just add a decimal point to the start of it in your head and move on.

          It's not just a damn number. By convention in typical software versioning, version X.Y.Z means:

          - X: major version number
          - Y: minor version number
          - Z: bug fix version number

          Taking a house analogy:

          - The major version number is akin to the building itself; it's the overall architecture. You bump this when you basically tear part or all of the whole thing down and rebuild it on more solid foundations.
          - The minor version number is akin to the interior floor plan, plumbing, cabling, etc.; it's the API. You bump t

          • by BenJury (977929) on Thursday October 11, 2012 @11:50AM (#41619959)

            That argument completely falls apart, however, when you consider the system admin or the advanced user who ends up asking himself whether he should upgrade a non-conforming piece of software on a computer or not.

            If you're making this decision based on the version number alone, you're doing it wrong.

            • by X0563511 (793323)

              When you have several options of more or less equal merit, the version numbering scheme is a perfectly valid deciding factor.

              • by BenJury (977929)
                With logic like that, I somehow suspect you work in a paper factory in Slough.
                • by X0563511 (793323)

                  Why? If the decision is closely matched enough to be arbitrary, why are arbitrary deciding factors not appropriate?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Please, enough with those old jokes. Firefox is buggy and slow enough to create new ones.

    • by dna_(c)(tm)(r) (618003) on Thursday October 11, 2012 @09:12AM (#41618343)

      Wow, I'm still using FF 3.6.12. I must have fallen into a time wrap bubble... What year is this?

      Don't worry, Mozilla switched from miles to meters. It's only three weeks ago. Expect FF 238 around Christmas.

      • The asymptotic release shortening means they'll have to start using scientific notation shortly after the new year.
      • Yeah that's what I was thinking. FF50 will be out by the time I'm old enough to date.
      • Re: (Score:3, Funny)

        by Anonymous Coward

        The newest version of Firefox glows an eerie blue due to the Cherenkov Radiation emitted as the electrons making up it's version number accelerate faster than the speed of light can travel in the OS medium it's suspended in.

    • by higuita (129722)

      Dont worry, they dropped the 3.7 from the version... just imagine that its version 3.7.16 :)

    • by Luckyo (1726890)

      IS 3.6.28 bugged for you? It's the last release of the 3.6 "not chromefox" family.

    • by jonadab (583620)
      I tried Firefox 3, but it kept losing tabs on me. I downgraded to Firefox 2 and have not looked back.
  • Well, guess that serves me right for being on the Firefox beta channel. I honestly don't even remember how long I've been using the FF16 beta. TFA didn't mention if beta users are affected, but I'm going to assume that we are.

  • Not so smart (Score:5, Interesting)

    by SirDice (1548907) on Thursday October 11, 2012 @09:07AM (#41618297)
    Why the hell did they pull it? Firefox 16.0 fixes 24 bugs, of which 21 are considered important. They're advising people to downgrade to THAT version because of ONE minor privacy issue. Seriously? Why don't they urge people to upgrade to 16.0 and start pushing out 16.0.1 as fast as they can?
    • by Bigby (659157)

      Yeah, I was thinking "We're all going to die!" How is this considered that major of a bug? I guess maybe they can get the session ID in a GET request and get to your banking website?

      • Re: (Score:3, Informative)

        by Anonymous Coward

        As I understand it, sites can access stored URL's and URL parameters. An obvious example of a URL you wouldn't want exposed would be ftp://username:password@someserver.foo.

  • Oh well (Score:4, Insightful)

    by scdeimos (632778) on Thursday October 11, 2012 @09:08AM (#41618305)
    I guess the decades-old saying still holds true, "never install a point-O release."
  • by Anonymous Coward

    Why don't they issue an 'update' that downgrades me back to 15.0.1 then? They can even rename it 16.1 or whatever to keep the auto-update happy with a version number increment.
    I got upgraded yesterday, do I have to manually downgrade myself - seems ridiculous.

  • Sad but expected (Score:3, Insightful)

    by Arker (91948) on Thursday October 11, 2012 @09:20AM (#41618401) Homepage

    Considering all the stuff "16" was supposed to have fixed, recommending a rollback over this sounds completely incompetent. And therefore expected.

    Remember, these are the same geniuses that decided to start rolling the version number everytime someone fixes a typo a few months ago, and thus calling the current version (what is it really, 5.3 or so?) 16. And it isnt truly new either, take a look at this old bug for example: https://bugzilla.mozilla.org/show_bug.cgi?id=78414 [mozilla.org]

    Been sitting there well over 10 years now. Not one serious attempt to fix it. How many new features that no one wanted and random gui changes to confuse users have they managed to implement in that time period?

    So yeah, no surprise here. Please, someone, make a browser that doesnt suck.

    • by BenoitRen (998927)

      Maybe you'd like SeaMonkey or Opera.

    • Re: (Score:1, Funny)

      by jonadab (583620)
      > Please, someone, make a browser that doesnt suck.

      Oh, they already did that. It's called Firefox 2.0.0.20.

      Open-source programmers famously don't like to re-invent the wheel, so naturally since making a browser that doesn't suck has already been done, it's now a solved problem and therefore no longer interesting to work on.

      The community has therefore moved on to newer and better things, like combining related toolbar buttons into one (back/forward), unnecessarily changing how user data (such as bookmark
    • by Jesus_666 (702802)

      So yeah, no surprise here. Please, someone, make a browser that doesnt suck.

      True. As a web developer I like HTML5 and CSS3 but it's interesting how browser engines are often still lacking in fairly basic things. For instance, WebKit apparently can't handle hover states on pseudo-elements properly [webkit.org].

      Perhaps the browser/engine devs should spend some time on making sure that the existing functionality works well before trying to one-up each other in who supports the latest first-draft CSS feature. Then again that's not how competition works so I guess I'll be looking forward to CSS5 A

    • So, a Java emulator with a QuickSave binding at F11 or ^s you would rather hit F11 and Firefox wanks to fullscreen? What about arrow keys? I can't scroll up/down a page (or left/right for that matter) when a plug-in OR an input box has focus! So horrible when I'm trying to play Pacman flash games, jamming up/down/left/right on twitch reactions, and the page just SITS STILL AND WON'T SCROLL! That's a total bug, must fix it.
      • by Arker (91948)

        If your gizmo really needs reserved keystrokes like that, then you should think about making it a separate app, not running it inside a browser!

        The browser global keystrokes only serve their purpose when they are globally available and always work. This is absolutely fundamental. Shortcut keys that only work in certain tabs, not in others, depending on what is loaded, is fundamental interface breakage. Shortcut keys that do one thing in one tab but something else entirely in another is even worse.

        • and what about JavaScript hijacking keystrokes and context menus, resizing and moving windows, etc?
          • by Arker (91948)
            Which is why most of the sites that use a lot of javascript are essentially unusable without noscript.
    • by jez9999 (618189)

      Please, someone, make a browser that doesnt suck.

      Try Seamonkey's browser [seamonkey-project.org].

      • by Arker (91948)

        This is a really hilarious suggestion. Not that I am saying I wont try it, but... let's remember here. Back a long time ago, it was Netscape Navigator that we all adopted because it sucked less than Mosaic. Then it became this whole huge crufty Netscape suite, with a bunch of extra stuff most of us didnt want or use (including a particularly awful mail client.) People slowly quit using Netscape, moving to IE (blech) or Opera in worrying numbers. Netscape became Mozilla, and this Netscape Suite became, if I

    • by donaldm (919619)
      The latest update of F17 has firefox 16.0.1. (firefox-15.0.1-1.fc17_16.0-1.fc17.x86_64.drpm) With delta rpms it is only 8.7 MB, however I also noted a new Chrome update which like all Chrome updates has no deltas so I have to download another 43 MB which is a little annoying especially when my last update was only a few days ago.

      google-chrome-stable-22.0.1229.92-159988.x86_64.rpm (43 MB) - 8th Oct 2012
      google-chrome-stable-22.0.1229.94-161065.x86_64.rpm (43MB) - Today

      To be fair I also got two kernel rel
      • by Arker (91948)

        I guess I overstated, I dont expect a program that doesnt suck. Just one that sucks less. That's all I ask for, a little slack.

        They suck when they get in your way with awkward interfaces or change for the sake of change. They suck when they encourage a generation of truly awful web designers and even infect HTML itself with suckage. They suck when they hand control of your machine out to any random web page they happen to get directed to. They suck when they insult your intelligence with idiotic schemes pre

  • I know about the new speedy release scheme, but how is it possible that version 16 is released when 15 is only at 15.0.1?
    • by jonadab (583620)
      > I know about the new speedy release scheme, but how is it
      > possible that version 16 is released when 15 is only at 15.0.1?

      Apparently you've *heard* of the new speedy release scheme but don't actually _know_ about it.

      Point releases are no longer planned in to the release schedule. After 15.0.1, the next planned, scheduled release would be 16.0, and after that 17.0 then 18.0. That's the whole point of the new speedy release scheme: every planned release, no matter how minor, gets a new major version
      • Except... this new light-speed release cycle has already proven to create several duds, leading to an official release and then a near-immediate (or in this case, immediate) bugfix "point" release. So it's obviously not working too well. But don't tell Mozilla that, it might just make Asa cry. I've said it before and I'll say it again, I can't say it enough... Mozilla's rapid-release idea is a fucking joke.

        The reality is that this should something more like 4.5.12 or something... not version 16.

      • by lennier (44736)

        Soon new versions of Firefox will start installing themselves in user-writable locations in each user account separately by default, just to make sure all network administrators hate it with a fiery passion.

        Actually that would make our lives easier. So they won't do that. I think if the Firefox devs really cared what us administrators thought they'd have provided centralised Group Policy configuration back when we asked for it - ten years or so ago - instead of making us edit custom .js files and manually ship them to the workstations. But still, they haven't completely forgotten us; they keep the old Netscape Communicator era "profile" system with randomised path name, which nobody ever uses and which breaks

  • by teslatug (543527) on Thursday October 11, 2012 @09:32AM (#41618517)
    Let's see, they make it super easy to upgrade, but much harder (in comparison) to downgrade. Can you guess what the majority of users will do?

    Of course the fast upgrade cycle has a downside, it's only a matter of time before Mozilla would let its users down with this newfangled upgrade methodology they've subscribed to.

    If you're going to have a quick and seamless way to upgrade, you better have a quick and seamless way of downgrading too!
    • by Cyko_01 (1092499)
      It funny you say that, because the new rapid release cycle allows for twice as much bug finding/fixing time compared to the old way
    • by Cyko_01 (1092499)
      Oh, and most people will wait the 2 days for the patch in 16.0.1
  • I don't get why they bothered, By the time anyone gets around to bothering with an exploit on a mass scale Firefox 17 would have been released. Besides, who really wants to know I visit "extra lunch money" on a daily basis?
    • by bsmedberg (955986)
      Malware authors work a lot faster and more efficiently nowadays. Public security holes show up in the rootkits within hours or days and are exploited within a week.
  • Certainly there are pros and cons, and it’s indicated to organizations, but why not using Firefox 10 ESR(Extended Support Release) and escape pressure of the browser market? http://www.mozilla.org/en-US/firefox/organizations/all.html [mozilla.org]
    • I use FF 10 ESR personally and I install it on the work computers. In general I'm happy with it and my users are happy with the web browser interface not changing every month and a half, but I have run across one annoying issue. Many web developers have a policy of only supporting browsers 2 or 3 versions older than what is current. Developers in the know should certainly make an exception for Firefox ESR, but I have had a few web sites admonish me for running an outdated browser.

  • by Animats (122034) on Thursday October 11, 2012 @12:45PM (#41620477) Homepage

    I was subscribed to the Firefox beta channel, since I develop add-ons for Firefox. When Firefox 16 came out on the release channel, the beta channel was still delivering Firefox 15.0. Apparently somebody skipped the beta test.

  • Already fixed (Score:5, Informative)

    by Emetophobe (878584) on Thursday October 11, 2012 @02:58PM (#41621851)

    16.0.1 was already released. Release notes here [mozilla.org].

If Machiavelli were a hacker, he'd have worked for the CSSG. -- Phil Lapsley

Working...