Mozilla patches Firefox's critical Pwn2Own bug
- 31 March, 2009 08:38
- Comments
Mozilla Corp. patched two critical Firefox bugs on Friday, including one used the week before by a German student to win $15,000 for hacking three different browsers at the Pwn2Own contest.
Firefox 3.0.8 was released several days earlier than expected. As recently as Thursday, Mozilla had set April 1 as the ship date for what the company labeled a "high-priority fire-drill security update" that would fix not only the Pwn2Own bug, but another that was revealed last Wednesday.
Both vulnerabilities were rated critical by Mozilla, But the most notable was clearly the one exploited earlier this month at CanSecWest, the Vancouver, British Columbia security conference that hosts the Pwn2Own hacking challenge.
At the contest, a 25-year-old computer science student from Germany who would only give his first name as Nils hacked Firefox and Safari on an Apple Inc. notebook, as well as Microsoft Corp.'s Internet Explorer 8 running on Windows 7. Nils was paid $5,000 for each successful exploit by 3Com Inc.'s TippingPoint, the Pwn2Own sponsor.
According to Mozilla, Nils' bug is in XUL, Mozilla's XML user interface markup language. In some cases, the "_moveToEdgeShift" tree method crashed Firefox; that crash could then "be used by an attacker to run arbitrary code on a victim's computer," Mozilla concluded.
Mozilla restricted access to additional information on the vulnerability by locking down Bugzilla, its bug tracking and management database, allowing only authorized users to view more information on the flaw.
Firefox 3.0.8 also patched a critical vulnerability that had gone public on the milw0rm.com exploit site last Wednesday. The bug allowed an attacker to crash Firefox by using malicious XSL code embedded on a Web site. "An attacker could potentially use this crash to run arbitrary code on a victim's computer," Mozilla warned in the accompanying security advisory.
The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browsers' built-in updater, or wait for the automatic update notification, which should pop up within 48 hours.
As expected, Mozilla beat rivals Microsoft and Apple Inc. by patching its Pwn2Own vulnerability first. Although the exploit Nils used to hack IE8 Release Candidate 1 (RC1) has been blocked by the final version of the browser -- it shipped a day after Pwn2Own -- the underlying flaw has not been fixed, and can be leveraged by attackers against Windows XP, according to TippingPoint's manager of security response, Terri Forslof.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
- Firefox likely to win race to fix PWN2OWN contest bug
- Researcher hacks just-launched IE8
- MFSA 2009-13: Arbitrary code execution via XUL <tree> element
- MFSA 2009-12: XSL Transformation vulnerability
- Firefox web browser : International versions: Get Firefox in your language
- Hack contest sponsor confirms IE8 bug in final code
-
Droid Razr Maxx: An Android smartphone for big talkers
-
Lenovo ordered to pay €1920 for making French laptop buyer pay for Windows too
-
Wikileaks suspect to face US court-martial
-
Wikileaks suspect to face US court-martial
-
Telstra reports issue with BigPond email accounts
-
MYOB Software for Dummies 6E Australian Edition
-
Windows 7 for Seniors for Dummies®
-
Office 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Dummies®
-
Microsoft Office
-
Computers for Seniors for Dummies, 2nd Edition
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Teach Yourself Visually Windows 7
-
Office 2007 for Dummies
Get exclusive access to Techworld news, reports & analysis. 
Comments
Post new comment