Mozilla fixes Firefox 16 web browser flaw with update

  • Published
Firefox screenshot
Image caption,

Users are now offered versions 16.0.1 of the browser that does not contain the flaw

Mozilla has updated its Firefox browser to fix a flaw that could have allowed sites to find out which other web pages its users had visited.

The security vulnerability, external was introduced in the 16th edition of its software, temporarily causing Mozilla to replace it with an older version.

The flawed version of the software was only online for a day.

Firefox had a 20% share of the global desktop browser market in September, according to a study by Netmarketshare, external.

That places it second only to Microsoft's Internet Explorer.

"We were quick to recognise the security vulnerability of Firefox 16 and took immediate action to temporarily remove the update from the current installer page," a spokesman from Mozilla told the BBC.

"As a precaution we asked Firefox users to revert back to using Firefox 15.0.1 whilst we worked to fix the problem. Firefox 16 was released with updates completely 'throttled', which meant that users were not automatically updated.

"We take security issues extremely seriously and were able to address the problem with Firefox quickly with limited impact to our users."

Browser bugs

Tal Be'ery, a web researcher at Imperva, explained how the error could have been exploited.

"Firefox is basically leaking a URL's [web address] data across domains by not restricting [programming language] Javascript's location method," he said.

He added that a proof-of-concept exploit had already been created to show how this might be used by hackers to obtain a user's Twitter ID.

It is not unusual for flaws to be discovered in web browsers.

Last month Microsoft was spurred to action by news that a previously unknown security hole in older versions of Internet Explorer was being used to download malware to PCs. The Poison Ivy Trojan allowed hackers to take control of infected computers.

Google recently awarded a teenage researcher $60,000 (£37,400) after he revealed a flaw in Chrome that could be used by a hacker to take control of a victim's system.

The search giant has since issued a fix, but said it would not publish details of how the exploit worked until Apple issued a fix to Safari, which is also vulnerable.

Quick fix

Graham Cluely, senior technology consultant at security software firm Sophos, said Mozilla's flaw could have proved serious had it not been spotted so quickly.

"We can't deny that software these days is very complex," he told the BBC.

"You get millions of lines of code and there are always bugs. This was obviously a serious one that could have been exploited.

"But they have done very well to fix it before anyone was able to take advantage of it."

Related internet links

The BBC is not responsible for the content of external sites.