Critical Firefox bug fixed one month after disclosure

IDG News Service - Just days before the start of a hacking contest set to target Web browser vulnerabilities, Mozilla has patched its flagship Firefox browser.

The Firefox 3.6.2 update fixes a critical bug in a font decompression routine that could be exploited to "crash a victim's browser and execute arbitrary code on his/her system," Mozilla said in a security advisory, released late Monday.

Mozilla had been under pressure to fix the bug, after it was included by Russian security researcher Evgeny Legerov last month in his VulnDisco hacking tool, which is sold as an add-on to the Canvas penetration testing kit. The Firefox team had expected to fix the issue next week, but decided to rush out an earlier update, apparently out of concern that Legerov's code could be misused.

The flaw affects Firefox 3.6, but not earlier versions of the browser, Mozilla said.

In his February forum post disclosing the vulnerability, Legerov said that it affected the browser running on Windows XP and Vista.

The flaw lies in the way Firefox implements a Web-based font standard called the Web Open Font Format.

The Firefox update comes as hackers prepare to compete in a three-day contest at Vancouver's CanSecWest security conference. During the Pwn2Own event, contestants will try to break into computers by leveraging previously undisclosed bugs in Firefox, Internet Explorer, Safari, and Chrome. Winners will take home the laptop they break into, as well as a US$10,000 cash prize.

Mozilla is in good company, updating its software ahead of the contest. Apple and Google have also fixed their browsers in the past few weeks.

Contest organizers had previously stated that Legerov's bug wouldn't count if used in their contest, however, since it's already been disclosed.

Firefox 3.6.2 is available for Windows, Mac, and Linux users.