Just one day after rolling out the latest upgrade for general use, Mozilla has temporarily withdrawn Firefox version 16, due to a vulnerability that could allow a malicious site to track user surfing habits.
Updates are expected to be issued shortly, according to a blog post by Michael Coates, director of security assurance at Mozilla.
Firefox version 15 is unaffected, and many users had not yet taken the opportunity to install the new version.
[Related: Mozilla Targets Developers With New Firefox 16 Features]
"Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available," he wrote. "As a precaution, users can downgrade to version 15.0.1 by following these instructions. Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability."
Although the Mozilla blog post says there is no indication that the vulnerability is currently being exploited in the wild, Ars Technica reports that the attack code is now available online.
The vulnerability was originally reported by a JavaScript blogger, known as "The Spanner," who reportedly found a way to conduct the exploit by converting an undefined value into a string. "But then I thought if a string conversion is being done inside the native function then perhaps we can abuse that? Oh yes we can," he wrote. This was apparently leveraged to generate the Twitter handle of website visitors, from which the username and other personal information could then be extracted.
PUBLISHED OCT. 11, 2012
