Mozilla released the latest version of their popular Firefox web browser on Tuesday, an update called Firefox 16 that promised fixes for all sorts of critical security flaws. Then on Wednesday Mozilla pulled Firefox 16 for having all sorts of critical security flaws.
To their credit, Mozilla claims to have fixed these flaws. As of Thursday afternoon, Mozilla had re-released Firefox 16, and that's the version now available for download on their home page. But I have to admit, I'm thinking twice before downloading it.
"Mozilla is aware of a security vulnerability in the current release version of Firefox," the company announced in a blog post to warn users of security flaws in Firefox 16. "We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected."
They have since posted the updated, supposedly corrected version. "An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11," an update to the post says. "Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version." Indeed, if you go that page, you will get Firefox 16.0.1. See, it's already got upgrade numbers added onto the end!
A fix to the Android mobile version of Firefox 16 was released last night.
The security flaw allowed malicious websites to acquire your entire Firefox browsing history. That includes pages where you were logged in to a certain account, like for instance your Twitter account. A hacker could, exploiting this flaw, log in to your account as you without knowing your password.
How dangerous is it to run the flawed version of Firefox 16? The attack code that would allow malicious web sites to extract your browsing history is all over the internet. The code has been published on the blog Ars Technica. It's only eight little lines of code, and it could give a hacker access to your web browsing history and personal web accounts.
Mozilla claims that there was no evidence that any hackers managed to exploit this security flaw.
This is not the first time the Firefox browser was yanked immediately after release. In December 2011, Firefox 9 was also released, pulled back, and re-released in the span of a day. That problem was related to causing browser crashes, not exploitable security flaws.