Computerworld - Mozilla late yesterday patched a critical Firefox vulnerability used by a German researcher to win $10,000 for hacking the open-source browser at last week's Pwn2Own contest.
In a repeat of 2009, Mozilla was the first browser maker to patch a bug exploited at Pwn2Own. In fact, the company improved on its performance by fixing the newest flaw only eight days after Nils, a researcher who works for U.K.-based MWR InfoSecurity, hacked Firefox. Last year, Mozilla took 10 days to come up with its Pwn2Own fix. Nils also successfully exploited Firefox at 2009's contest.
This time, Nils used a memory corruption flaw to hack the browser, Mozilla said in the security advisory that accompanied the update to Firefox 3.6.3. It rated the bug as "critical," the highest threat ranking in its four-step scoring system.
Nils exploited Firefox 3.6.2 -- Mozilla had patched the browser just two days before the contest kicked off -- on 64-bit Windows 7, also bypassing the operating system's DEP (data execution prevention) and ASLR (address space layout randomization) defenses. For his work, Nils was awarded $10,000 by 3Com TippingPoint, Pwn2Own's sponsor.
Other researchers hacked Apple's Safari and Microsoft's Internet Explorer 8 (IE8) to also win $10,000 each.
According to Mozilla, Nils' exploit only works against Firefox 3.6, the newest edition, but the company said it planned to also patch Firefox 3.5 "just in case there is an alternate way of triggering the bug." Mozilla did not specify a timeline for the Firefox 3.5 update.
Firefox 3.5 was just patched last Monday to bring it to version 3.5.9.
Mozilla restricted access to additional information on the vulnerability by locking down Bugzilla, its change- and bug-tracking database, allowing only authorized users to view information on the flaw. That move is typical of Mozilla when it has patched some, but not all, of its browsers.
Neither Apple or Microsoft has announced plans to patch their Pwn2Own vulnerabilities. Microsoft has acknowledged receiving details of the IE8 vulnerabilities that Dutch researcher Peter Vreugdenhil used to hack the browser, but earlier this week said a patch was not ready. "We are still investigating that issue at this time so we do not have an update available," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC).
Last Tuesday, Microsoft patched 10 other vulnerabilities in IE, including one that had been widely used by attackers for several weeks to conduct drive-by attacks. Those attacks prompted Microsoft to accelerate the release of the IE update, which was originally slated to ship April 13.
TippingPoint does not release details of the vulnerabilities exploited for Pwn2Own, but instead purchases the rights to the flaws and exploit code as part of the contest. It then turns over information to the appropriate vendors. Only after the vendor has plugged the hole does TippingPoint disclose.
As of mid-day Friday, TippingPoint had not released any additional information about the Firefox vulnerability that Nils exploited and Mozilla just patched.
The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browsers' built-in updater or wait for the automatic update notification, which should pop up within 48 hours.
In a repeat of 2009, Mozilla was the first browser maker to patch a bug exploited at Pwn2Own. In fact, the company improved on its performance by fixing the newest flaw only eight days after Nils, a researcher who works for U.K.-based MWR InfoSecurity, hacked Firefox. Last year, Mozilla took 10 days to come up with its Pwn2Own fix. Nils also successfully exploited Firefox at 2009's contest.
This time, Nils used a memory corruption flaw to hack the browser, Mozilla said in the security advisory that accompanied the update to Firefox 3.6.3. It rated the bug as "critical," the highest threat ranking in its four-step scoring system.
Nils exploited Firefox 3.6.2 -- Mozilla had patched the browser just two days before the contest kicked off -- on 64-bit Windows 7, also bypassing the operating system's DEP (data execution prevention) and ASLR (address space layout randomization) defenses. For his work, Nils was awarded $10,000 by 3Com TippingPoint, Pwn2Own's sponsor.
Other researchers hacked Apple's Safari and Microsoft's Internet Explorer 8 (IE8) to also win $10,000 each.
According to Mozilla, Nils' exploit only works against Firefox 3.6, the newest edition, but the company said it planned to also patch Firefox 3.5 "just in case there is an alternate way of triggering the bug." Mozilla did not specify a timeline for the Firefox 3.5 update.
Firefox 3.5 was just patched last Monday to bring it to version 3.5.9.
Mozilla restricted access to additional information on the vulnerability by locking down Bugzilla, its change- and bug-tracking database, allowing only authorized users to view information on the flaw. That move is typical of Mozilla when it has patched some, but not all, of its browsers.
Neither Apple or Microsoft has announced plans to patch their Pwn2Own vulnerabilities. Microsoft has acknowledged receiving details of the IE8 vulnerabilities that Dutch researcher Peter Vreugdenhil used to hack the browser, but earlier this week said a patch was not ready. "We are still investigating that issue at this time so we do not have an update available," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC).
Last Tuesday, Microsoft patched 10 other vulnerabilities in IE, including one that had been widely used by attackers for several weeks to conduct drive-by attacks. Those attacks prompted Microsoft to accelerate the release of the IE update, which was originally slated to ship April 13.
TippingPoint does not release details of the vulnerabilities exploited for Pwn2Own, but instead purchases the rights to the flaws and exploit code as part of the contest. It then turns over information to the appropriate vendors. Only after the vendor has plugged the hole does TippingPoint disclose.
As of mid-day Friday, TippingPoint had not released any additional information about the Firefox vulnerability that Nils exploited and Mozilla just patched.
The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browsers' built-in updater or wait for the automatic update notification, which should pop up within 48 hours.