Mozilla patches Firefox's critical Pwn2Own bug
Ships 'fire-drill' security update five days early, beats Microsoft, Apple to the patch punch
Computerworld - Mozilla Corp. patched two critical Firefox bugs on Friday, including one that a German student used the week before to win $15,000 for hacking three different browsers in the Pwn2Own contest.
Firefox 3.0.8 was released several days earlier than expected. As recently as Thursday, Mozilla had set April 1 as the ship date for what the company labeled a "high-priority, fire-drill security update" that would fix not only the Pwn2Own bug, but also another that was revealed last Wednesday.
Both vulnerabilities were rated "critical" by Mozilla, But the most notable was clearly the one exploited earlier this month at CanSecWest, the security conference in Vancouver, British Columbia, that hosted the Pwn2Own hacking challenge.
At the contest, a 25-year-old computer science student from Germany who would only give his first name as "Nils" hacked Firefox and Safari on an Apple Inc. notebook, as well as Microsoft Corp.'s Internet Explorer 8 running on Windows 7. Nils was paid $5,000 for each successful exploit by 3Com Inc.'s TippingPoint unit, the Pwn2Own sponsor.
According to Mozilla, Nils' bug is in XUL, Mozilla's XML user interface markup language. In some cases, the "_moveToEdgeShift" tree method crashed Firefox. That crash could then "be used by an attacker to run arbitrary code on a victim's computer," Mozilla concluded.
Mozilla restricted access to additional information on the vulnerability by locking down Bugzilla, its bug tracking and management database, allowing only authorized users to view more information on the flaw.
Firefox 3.0.8 also patched a critical vulnerability that had gone public on the Milw0rm.com exploit site last Wednesday. The bug allowed an attacker to crash Firefox by using malicious XSL code embedded on a Web site. "An attacker could potentially use this crash to run arbitrary code on a victim's computer," Mozilla warned in the accompanying security advisory.
The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browsers' built-in updater or wait for the automatic update notification, which should pop up within 48 hours.
As expected, Mozilla beat rivals Microsoft and Apple Inc. by patching its Pwn2Own vulnerability first. Although the exploit that Nils used to hack IE8 Release Candidate 1 (RC1) has been blocked by the final version of the browser -- it shipped a day after Pwn2Own -- the underlying flaw has not yet been fixed and can be used by attackers against Windows XP, according to Terri Forslof, TippingPoint's manager of security response.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!