Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes

Firefox 28 adds support for OS X's Notification Center

Mozilla on Tuesday patched five vulnerabilities exploited by researchers last week at the Pwn2Own hacking contest, where they were awarded $200,000 for their collective efforts.

The upgrade to Firefox 28 also added support for OS X's Notification Center and VP9 video decoding on all platforms. VP9 is an open-source video compression standard created by Google, and supported by Chrome, Firefox and Opera Software's Opera.

But Firefox 28 was primarily a security update, patching the five Pwn2Own flaws and 15 others.

At the hacking challenge, co-sponsored by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program and Google, Firefox fell to four teams or individuals, twice the number of hacks as any other browser. Each successful exploit earned the researcher(s) $50,000, the lowest award for any of the browsers: Apple's Safari, Google's Chrome, Microsoft's Internet Explorer and Firefox.

Google patched the Chrome vulnerabilities last Friday, the day after Pwn2Own ended.

Mariusz Mlynski, Jüri Aedla, and a team from French vulnerability seller Vupen cracked Firefox on the first day of Pwn2Own; George Hotz hacked it on the second.

Firefox's four-peat fail and the low dollar amount of the reward reflected the ease with which attackers can hack the browser, which, unlike Chrome, IE and Safari, does not include anti-exploit "sandboxing" technology that isolates the browser from the rest of the system.

To execute attack code on a device with a sandboxed browser, hackers must not only exploit a vulnerability in the browser, but find a way to bypass the sandbox, often with a second vulnerability.

That was highlighted at Pwn2Own, where three of the four Firefox hacks relied on just one vulnerability. (Mlynski was the only researcher who exploited two bugs in Firefox.)

All five of the Pwn2Own-related bugs were rated "critical" by Mozilla, the firm's highest threat ranking.

Two other critical vulnerabilities were patched Tuesday, identified as "memory safety bugs" in the engine that powers Firefox. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla wrote in the accompanying security bulletin.

Mozilla also patched three vulnerabilities rated "high," seven tagged "moderate," and three judged "low" in Firefox 28. Two of the 13 were for Firefox on Android only, while another was limited to Firefox OS, the lightweight browser-based mobile operating system that Mozilla has sunk serious resources into in an attempt to take a seat at the smartphone table.

Firefox currently accounts for about 17.7% of all desktop browsers, its lowest "user share" since May 2008, according to the latest statistics from Web measurement firm Net Applications.

Windows, Mac and Linux editions of Firefox 28 can be downloaded from Mozilla's site; already installed copies will upgrade automatically. Users of Firefox for Android can retrieve the update from the Google Play store.

The next version of Firefox is scheduled to ship April 29. That version, Firefox 29, is currently slated to debut the browser's new user interface (UI), dubbed " Australis."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon