Folks who installed Firefox 16 on Tuesday may want to ensure that they've received an update released this afternoon (16.0.1) which addresses a security flaw. On Wednesday, Mozilla halted distribution of Firefox 16 after learning about a vulnerability that could allow a malicious site to determine which sites users have visited and access the URL or URL parameters. Although the hole was revealed publicly on a UK JavaScript blog, Mozilla says there's no indication that the bug is being exploited in the wild.
Speaking with Ars Technica, Aspect Security CEO Jeff Williams offered a more detailed explanation: "Looks like Firefox introduced a code change that allows a malicious webpage to run some JavaScript that can access the 'location' (the URL bar) of windows," he said. "So attackers can abuse this by using JavaScript to open other windows to protected websites. Then that JavaScript can access the URL and give it to the attacker. This should result in an 'Error: Permission denied' message, but FF16 allows it."
Mozilla released a fix for the latest version of Firefox across all platforms including Windows, Mac, Linux and Android. You can download this update manually, though you shouldn't have to do anything if you have automatic updates enabled. This particular issue doesn't affect users running an older version of the browser.
Firefox 16's new developer command line
Security blunder aside, Firefox 16 brings many improvements over August's build, including improved support for Mac OS X Lion, the introduction of incremental garbage collection, a greater implementation of HTML5 and CSS3, a developer command line, a Reader Mode for Android and more bug fixes than we care to count.