If you use Firefox as your web browser, you should update it now to version 50.0.2 (or a later one if it exists).
Late last night, someone disclosed a vulnerability that is present in the ToR and Firefox web browsers on a public mailing list. This vulnerability may allow an attacker to run code on your computer if you visit an infected web site. You can read more about the vulnerability and how it works here. ArsTechnica and The Register are also doing a great job of covering this.
While the bug is definitely exploitable in the ToR browser, it is not yet clear if it can be exploited in current versions of Firefox.
You should immediately update Firefox to version 50.0.2.
What do I do right now?
Why are you writing about this?
This bug has only just been patched. Even though Firefox has an auto-update mechanism, we often see old versions of Firefox that haven’t been updated in a long time.
In each case, Firefox definitely needs to be updated to at least version 50.0.2.
How will I update my copy of Firefox?
On a Mac
If you are using a Mac, you can check your Firefox version by selecting “About Firefox” from the Firefox menu:
And checking that Firefox says that it is up to date. If it is not, click the update button.
Click on the Firefox Menu at the right of the address bar and click the “Help” icon.
Choose About Firefox from the menu:
Check that your Firefox says that it is up to date. If it is not, click the update button.
Firefox will automatically update when you open it if you are online and your user has permission to install software, but you will need to close all open windows and open it once the update has installed.
In some cases you may need an IT administrator to update your software. If you are running an older version of Firefox and can’t update it yourself, you should contact your IT team and ask them to update it.
Updates to this article
We’ve updated this article a couple of times. Here are some of the changes.
- Provide reference to ArsTechnica and The Register (12am)
- Provide clarity around the scope of the vulnerability (7:30am)
- Update about the release of 50.0.2 which addresses the vulnerability