Thunderbird Updated to 16.0.1

October 11, 2012

The Mozilla organization today released a new version, 16.0.1, of its Thunderbird E-mail client for Linux, Mac OS X, and Windows.  This corresponds to the release of Firefox 16.0.1, and addresses the same security vulnerability that was accidentally introduced in the 16.0 versions of the software.  (Firefox and Thunderbird share a substantial amount of code.)   The Release Notes have also been updated to reflect the change./

You can obtain the new version via the built-in update mechanism (Help / About Thunderbird / Check for Updates), or you can get a complete installation package from the Thunderbird download page.

Firefox 16.0 Security Issue

October 11, 2012

In a post on the Mozilla Security blog, Michael Coates, Director of Security Assurance for Mozilla, advises that a new security vulnerability has been found in the recently-released Firefox 16.0.  The threat, apparently, is that details of your browsing history could be disclosed.

The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.  At this time we have no indication that this vulnerability is currently being exploited in the wild.

In addition to identifying the sites the user has visited, there is a potential risk of disclosure of confidential information, if the site returns data to the server as parameters in the URL.   (Typically, these will appear after a ‘?’ in the URL, like this:

Mr. Coates’s post suggests that users could revert to the previous Firefox version, 15.0.1.   I think this is probably unnecessary for most people, if a fix is available today.  If you have already updated to version 16.0 (see Help / About Firefox), I think the risk of waiting a few hours for a patch is small; also, version 16.0 did fix a number of other vulnerabilities, some more serious than this one.

Mozilla has temporarily pulled version 16.0 from the automatic download page(s), although it is still available elsewhere on the Mozilla site.  They expect to release a fix today, Thursday, October 11.  I’ll post another note here when the fix is available.

Update Thursday, October 11, 14:45 EDT

Mozilla has released an updated version 16.0.1 for Android (on Google Play) that fixes this vulnerability, and it appears that they are in the process of releasing the updated version for desktop systems.  I’ll do my best to stay on top of this.

Update Thursday, October 11, 15:00 EDT

Firefox 16.0.1, which fixes this vulnerability, is now available from Mozilla’s download page; updated Release Notes are also available.

%d bloggers like this: