“Mozilla is aware of a security vulnerability in the current release version of Firefox,” Michael Coates, Mozilla’s director of security assurance, explained in a blog. “We are actively working on a fix and plan to ship updates [Thursday]. Firefox version 15 is unaffected.”
According to Coates, the vulnerability could allow a malicious website to capture a person’s Web history, which could be subsequently used for mischief.
“At this time we have no indication that this vulnerability is currently being exploited in the wild,” Coates wrote.
Coates did not note when Mozilla became aware of the new vulnerability, or how it was discovered. Notes from a Mozilla meeting yesterday, however, show that the company was aware of it by 11 a.m. PT Wednesday, when it told developers that a “chemspill” — Mozilla’s term for an emergency update — was necessary.
In a precautionary move, download versions of Firefox 16 have been removed from Mozilla’s installer page. Mozilla expects an updated version of Firefox that addresses the security vulnerability to be available Thursday.
While Mozilla has taken down Firefox 16 from its website, the security-challenged version of the browser is still available on the Internet. For example, Yahoo is flogging Firefox 16 at its website and through ads in Google search results.
If you have Firefox 16 on your computer, it will automatically be updated with the new version when it’s available. If you’re feeling squeamish about having Firefox 16 on your machine, Mozilla recommends that you downgrade your Firefox version to the 15.0.1 release of the software.
While the version of Firefox 16 released Tuesday missed one vulnerability, it addressed a number of others including memory corruption and memory safety hazards, a buffer overflow bug and a spoofing and script-injection flaw.
Update: Mozilla released Firefox 16.0.1 on Thursday, which fixes these security flaws. Read the report on this new version of Firefox.