Mozilla confirms critical Firefox bug
Slates patch for March 30; flaw can't be used in upcoming Pwn2Own hack contest
Computerworld - Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.
Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.
"The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix."
Firefox 3.6, which Mozilla launched in January, is affected, Mozilla said, adding that it would be patched in version 3.6.2, currently slated to ship on March 30.
The bug was disclosed by Russian researcher Evgeny Legerov a month ago in a message posted on a forum hosted by Immunity, the Miami Beach, Fla. developer best known for its Canvas penetration testing framework. Legerov works for Moscow-based Intevydis, which produces the VulnDisco add-on for Canvas.
Legerov did not publish attack code, and initially refused to provide details to Mozilla, according to a March 4 entry he posted on his blog. "I've ignored e-mails ... from Mozilla, please do not waste my and your time anymore," Legerov wrote. The blog has since been deleted, but is still available via Google's cache.
In comments appended to a vulnerability alert published by Danish bug tracker Secunia, several users questioned Legerov's motives for making the announcement, while others chided Secunia for not thoroughly testing the flaw or claimed that it was all a hoax.
Mozilla yesterday said Legerov had eventually sent them "sufficient details to reproduce and analyze the issue."
Until the March 30 patch is released, users can upgrade Firefox to the beta of version 3.6.2, which includes the fix, by downloading the preview.
Although Apple and Google have recently updated Safari and Chrome, respectively -- beefing up the browsers' security before the $100,000 Pwn2Own hacking contest starts March 24 -- the version of Firefox that will be used in the challenge will lack the patch for Legerov's vulnerability. Pwn2Own will pit only production versions of Chrome, Firefox, Internet Explorer (IE) and Safari against the hacking talents of researchers.
However, that doesn't mean hackers will be able to use the bug to claim one of the $10,000 prizes for successfully exploiting Firefox. "We will have our entire research team on-site so that we can do our best to ensure that known issues such as this one do not turn up at our contest," said Aaron Portnoy, a research team lead with 3Com TippingPoint, the company sponsoring Pwn2Own.
Mozilla will also patch Firefox 3.0 (with 3.0.19) and Firefox 3.5 (with 3.5.9) on March 30. Firefox 3.0.19 will be the final security update for the browser Mozilla debuted in mid-2008.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com data
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts