With Pwn2Own looming, Mozilla and Google ship browser patches

Summary:Less than a week before the annual CanSecWest Pwn2Own hacker challenge, two major browser vendors have shipped major updates to fix gaping security holes.

Less than a week before the annual CanSecWest Pwn2Own hacker challenge, two major browser vendors have shipped major updates to fix gaping security holes.

The latest updates from Mozilla Firefox and Google Chrome covers flaws that could lead to remote code execution attacks, according to separate advisories issued this week.

The release of the patches -- Firefox 3.6.14 and Google Chrome 9.0.597.107 (all platforms) -- is quite possibly not linked to the Pwn2Own contest, which encourages security researchers to hack into the major browsers but it is typical for software vendors to issue monster patches just ahead of the challenge every year.

This year's contest includes an actual challenge by Google for hackers to attempt to break out of the Chrome sandbox.  Google is putting up a $20,000 cash prize for any hacker who can successfully compromise a Windows 7 machine via a vulnerability — and sandbox escape — in Chrome.

follow Ryan Naraine on twitter

Earlier this week, Google shipped a major security makeover that included $14,000 is cash payments to bug finders.  This mega-patch covered a total of 18 security holes, most rated "high-risk."    Google said it has paid in excess of $100,000 to researchers as part of its bug bounty program.

Separately, Mozilla shipped a new Firefox version to fix the following:

  • MFSA 2011-10 CSRF risk with plugins and 307 redirects
  • MFSA 2011-09 Crash caused by corrupted JPEG image
  • MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
  • MFSA 2011-07 Memory corruption during text run construction (Windows)
  • MFSA 2011-06 Use-after-free error using Web Workers
  • MFSA 2011-05 Buffer overflow in JavaScript atom map
  • MFSA 2011-04 Buffer overflow in JavaScript upvarMap
  • MFSA 2011-03 Use-after-free error in JSON.stringify
  • MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
  • MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

Eight of the 10 Mozilla issues are rated "critical," meaning they can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing.\

Firefox and Chrome both have automatic update mechanisms to deploy these patches.

If history holds true, look for Apple to ship a bumper Safari patch early next week.

Topics: Security, Browser, Google

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.