Mozilla urges users to upgrade Firefox after security flaw found

Mozilla has hurried out a major update to its Firefox browser this weekend which is designed to rectify a significant security flaw identified last week.

Soon after releasing Firefox 16 last week the browser maker found that a security hole could allow hackers to see Firefox users’ browsing history and URL parameters.  The Mozilla community was quick to spot the issue and removed the update from its site but not before the version was downloaded by hundreds users.

Since April 2012 Mozilla has been automatically updating users’ versions of Firefox.

Users that did upgrade to Firefox 16 are being urged to upgrade to Firefox 16.0.1 which the organisation says removes the flaw.

“The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.”

The security hole was not knowingly exploited by any hackers, although some users were able to test the issue to see how it could be used to obtain users’ personal data.  One test  managed to obtain a user’s Twitter ID amongst other data.  The flaw was only introduced with Firefox 16, no earlier version of the program is vulnerable.

The danger could be that hackers could associate a user’s search habits with their social networking accounts to build a profile of their online activities.

You can check if you have the flawed version of Firefox by clicking Help > About (or pressing Alt+H+A) in the browser.  Firefox should then check for the latest correct version of the software and begin downloading this automatically.  Alternatively, Firefox 16.0.1 can be downloaded from the Firefox website.

While this is an embarrassment for Mozilla, the open source browser is still considered to be one of the most secure.

Last month the German government urged its citizens to stop using Microsoft’s Internet Explorer because a Trojan, called Poison Ivy which targets the browser, had yet to be fixed.  A successful Poison Ivy attack would have provided hackers with control over the user’s system.