Firefox 16 Pulled To Address Security Vulnerability 165
Shortly after the release of the newest major version of Firefox, an anonymous reader writes with word that "Mozilla has removed Firefox 16 from its installer page due to security vulnerabilities that, if exploited, could allow 'a malicious site to potentially determine which websites users have visited' ... one temporary work-around, until a fix is released, is to downgrade to 15.0.1"
Re:Firefox *16*!? (Score:5, Informative)
Their numbering scheme makes it look like they're not fixing anything, just releasing on a whim. Then this...
The delayed release contains a new Developer Command Line, unprefixes a number of stable features including: CSS3 Animations, Transitions, Transforms, Image Values, IndexedDB and Values and Units. Firefox also unprefixes Battery API and Vibration API, two Web APIs. [Mac users will find that preliminary support for the VoiceOver screen reader]
It also fixes for numerous critical vulnerabilities. Holes associated with a full 14 security advisories were closed in the new Firefox 16, in fact, 11 of them rated “critical.” [memory corruption and memory safety hazards, a buffer overflow bug, and a spoofing and script-injection flaw]
That sounds like enough to more than enough to justify a release. The fact that they have pulled its release for security reasons, seams pretty sensible to be.
Re:Not so smart (Score:3, Informative)
As I understand it, sites can access stored URL's and URL parameters. An obvious example of a URL you wouldn't want exposed would be ftp://username:password@someserver.foo.
In slightly related news 10hrs chrome patch (Score:5, Informative)
http://news.slashdot.org/story/12/10/10/2113239/in-under-10-hours-google-patches-chrome-to-plug-hole-found-at-its-pwnium-event [slashdot.org]
Already fixed (Score:5, Informative)
16.0.1 was already released. Release notes here [mozilla.org].
Re:Not so smart (Score:3, Informative)
16.0.1 is now out.
https://www.mozilla.org/en-US/firefox/all.html [mozilla.org]