Mozilla follows Google, patches Firefox as prep for Pwn2Own
Quashes 11 bugs, including CSRF flaw that worried Adobe
Computerworld - Mozilla on Tuesday fixed 11 security flaws in Firefox, following in rival Google's footsteps in patching its browser before a hacking contest kicks off next week.
Nine of the 11 flaws were rated "critical," a threat rating that implies hackers could use the vulnerabilities to compromise a computer or infect it with malware. Of the two remaining bugs, one was labeled "high" and the second was tagged as "moderate."
The updates, which brought the open-source browser to versions 3.6.14 and 3.5.17, were the first since December, a longer-than-usual span between Mozilla patch shipments. Part of the reason was that Tuesday's updates were delayed. They had been slated to show in mid-February, but Mozilla held them to investigate a non-security bug that caused some users' browsers to crash.
An Adobe security researcher reported the CSRF vulnerability, which was the issue rated high, Mozilla said in its patch notes. According to information posted on a security mailing list last month, the CSRF bug can be exploited in several browsers -- Firefox, Apple's Safari and Google's Chrome -- using a malformed Flash file.
Previously, Mozilla developers had reported that Adobe was pressing them to issue a patch for the CSRF bug.
Tuesday's security update reached users eight days before Pwn2Own, the annual hacking contest held at the CanSecWest security conference in Vancouver, British Columbia. Pwn2Own begins March 9, when security researchers will compete for $65,000 in prizes by trying to take down the most up-to-date production editions of Firefox, Chrome, Safari and Microsoft's Internet Explorer.
Google patched 19 bugs in Chrome on Monday, making Firefox the second of the four targeted browsers to get a last-minute security polish before the challenge.
Last year, Google and Apple updated their browsers just days before Pwn2Own, but Mozilla did not. Instead, Mozilla acknowledged a critical vulnerability in Firefox less than a week before 2010's contest, but said it wouldn't fix the flaw until after its conclusion. Pwn2Own organizers then ruled that hackers would not be allowed to use the vulnerability to exploit Firefox.
Firefox 3.6.14, the version that will be attacked at Pwn2Own, will soon be displaced by Firefox 4, which entered its final beta Monday. Mozilla is moving toward a "release candidate" build, and unless unexpected problems pop up, will probably ship the browser this month.
Users can update to Firefox 3.6.14 by downloading the new edition or by selecting "Check for Updates" from the Help menu in the browser. Firefox 3.5 users can obtain version 3.5.17 with the update tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Desktop Apps White Papers | Webcasts