Mozilla Firefox first to patch Pwn2Own vulnerability
Mozilla is the first browser vendor to fix a vulnerability exploited at this year's CanSecWest Pwn2Own contest.
Just one week after a U.K.-based hacker known as "Nils" broke into a 64-bit Windows 7 machine with a Firefox vulnerability, the open-source group shipped Firefox 3.6.3 to plug the security hole.
[ SEE: Pwn2Own hack topples Firefox on Windows ]
From Mozilla's advisory:
However, the group said it will issue a patch for Firefox 3.5 in an upcoming release "just in case there is an alternate way of triggering the bug."
The Firefox 3.6.3 update is rated critical. It will be shipped via the browser's automatic update mechanism.
At the Pwn2Own hacker challenge, Nils used several tricks to bypass Address Space Layout Randomization (ALSR) and Data Execution Prevention (DEP) to get his drive-by download to load an executable on the target machine.