Update: Firefox update will patch CSRF bug, Mozilla says
Delayed Firefox 3.6.14, 3.5.17 to ship March 1, fix cross-site request forgery bug that can be exploited via Flash
Computerworld - Mozilla said late Wednesday that it will ship security updates to Firefox 3.5 and Firefox 3.6 next week that will include a patch for a bug that can be exploited using a malicious Adobe Flash file.
(Editor's note: An earlier version of this story, published before Mozilla responded to a request for comment, said company meeting notes suggested that the Firefox security updates would not include the patch.)
Firefox 3.5.17 and Firefox 3.6.14 will now appear Tuesday, March 1, Mozilla disclosed in meeting notes published today.
Originally slated for release Feb. 14, the security updates were held while Mozilla developers investigated a bug that affected some, though not all, users of the betas. According to Mozilla, the bug caused some copies of the updates to repeatedly crash. Mozilla then backed out a recent fix to retest the betas.
Around the same time, another problem -- a separate cross-site request forgery (CSRF) vulnerability -- surfaced that Mozilla needed to patch. "Adobe is pressing for a release due to a public CSRF issue," Mozilla said last week.
The vulnerability is in Firefox, but Adobe's involved because the vulnerability can be exploited using a malformed Flash file.
According to patch information posted Feb. 8 by the open-source Ruby on Rails Web development framework, and a follow-up message two days later on a security mailing list, the CSRF bug can be exploited by "Certain combinations of browser plug-ins and HTTP redirects."
An attacker could exploit the vulnerability to bypass the built-in CSRF protections of Ruby on Rails -- and that of Django, another Web development platform, which also patched its products earlier this month -- and successfully attack a Web application built with those tools.
The security mailing list message posted Feb. 10 spelled out several affected browsers, including Firefox -- including an earlier beta of Firefox 4 -- as well as Google's Chrome and Apple's Safari on both Windows and Mac OS.
That same message also said that a Google security researcher had first reported the CSRF vulnerability.
Last week, an Adobe spokeswoman said she knew nothing about a potential zero-day that would impact its software and/or Firefox.
Mozilla will patch the CSRF flaw in both Firefox 2.5.17 and Firefox 3.6.14 when they ship next week, a spokeswoman for that company confirmed late Wednesday.
The timing of the update may help Firefox survive the Pwn2Own, the hacking contest that kicks off March 9 at the CanSecWest security conference in Vancouver, British Columbia.
Firefox will be one of four browsers -- the others are Chrome, Safari and Microsoft's Internet Explorer -- that will be targeted by attackers hoping to walk off with $15,000 or $20,000 in cash. Pwn2Own's rules state that the targeted browsers will be "the latest release candidate at the time of the contest," meaning that researchers will have to tackle Firefox 3.6.14.
Last year, Mozilla confirmed a critical vulnerability in Firefox less than a week before 2010's Pwn2Own, but said it wouldn't fix the flaw until after the contest. Pwn2Own organizers then ruled that hackers would not be allowed to use the vulnerability to exploit Firefox.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts