Establishing Digital Trust: Don't Sacrifice Security for Convenience
In a recent blog post, Mozilla director of security assurance Michael Coates announced that Firefox 16 was temporarily removed from the installer page due to a security vulnerability. "The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters," Coates wrote. "At this time we have no indication that this vulnerability is currently being exploited in the wild."
"Since the Firefox 16 vulnerability makes it possible for an attacker to view URLs and URL parameters, that means he or she could also harvest private information that’s passed in a querystring," notes Geek.com's Lee Mathews. "That could include things like your private email address, physical address, and other sensitive data. And the risk is compounded if you happen to visit sites that aren’t very selective about what information they pass via a URL."
"Coates did not note when Mozilla became aware of the new vulnerability, or how it was discovered," writes Computerworld's Gregg Keizer. "Notes from a Mozilla meeting yesterday, however, show the company was aware of it by 11 a.m. PT Wednesday, when it told developers that a 'chemspill' -- Mozilla's term for an emergency update -- was necessary."
"Firefox version 15 is unaffected, and as a precaution users can downgrade to version 15.0.1," writes ITworld's John Ribeiro. "Or they can wait until Mozilla's patches are issued and automatically applied to address the vulnerability, Coates said. The new version of the browser was released on Tuesday and addressed a number of security vulnerabilities, including some considered critical."