Firefox 16 vulnerability

Published October 11, 2012

Mozilla is recommending people downgrade back to Firefox 15 (or use Chrome, presumably) due to a security problem version 16 has. It turns out it's not actually that bad - it may allow a site to determine or access your history, so a lot of people probably should decide for themselves if they care about that instead of just downgrading. Also Firefox 16 fixed some pretty open ended security issues from 15, and I'd rather sacrifice my privacy a bit than have people install software on my machine. So honestly, I shouldn't downgrade to 15.

This isn't the first time a user's history has been at risk. Back in the day, people used to be able to figure out history by CSS styles applied to visited links. Then browsers plugged that, and there was another attempt, this time using cache timing attacks via JavaScript controlled and timed remote requests (although it wasn't particularly reliable).

In each of these the exploit allowed the attacker to give a URL and see if the user had visited it. The detail is important - they couldn't (practically) generate an exhaustive list of a user's history, they had to stab in the dark and deal with yes/no answers for URLs. So, in reality, although it could be a big privacy issue, it would be hard to exploit effectively. It's not clear if the current bug is the same as these, or whether it is more powerful (I can't find a bug report, and I guess Mozilla are sensibly keeping details scarce).

In any case, it goes to show why it's best to let other people beta test 'stable' releases for the first few days.