At around 2:30 p.m. ET, Mozilla turned on its upgrade servers and started pushing Firefox 16.0.1 to users who had earlier downloaded the flawed browser, or who were still running version 15 and earlier. About 30 minutes later, the open-source developer restored the patched program to its and download pages.
Yesterday, from its download websites and stopped serving it to existing users as an upgrade. The withdrawal was prompted by the discovery of a vulnerability, which the "could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters."
On Wednesday, Mozilla promised to ship an emergency update -- it calls them "chemspills" in a nod to security toxicity -- today.
Mozilla has now provided more information about the bug, which it rated as critical.
"Mozilla security researcher 'moz_bug_r_a4' reported a regression where security wrappers are unwrapped without doing a security check in defaultValue()," an noted. "This can allow for improper access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution."