Mozilla knew of Pwn2Own bug before CanSecWest

Mozilla knew of Pwn2Own bug before CanSecWest

Summary: The vulnerability was described as a "memory safety problem in the array.join function" and was bundled into a security advisory that carries a critical rating.

SHARE:
TOPICS: Browser
3

Even before a pair of researchers hacked into Firefox to snag second place at the CanSecWest Pwn2Own contest, Mozilla knew about the vulnerability and was working on a fix.

That fix arrived today with Firefox 11, a high-priority update that fixes a dozen security flaws that expose Windows and Mac OS X users to a wide range of hacker attacks.

"The security bug reported by ZDI is one we had already identified and fixed through our internal processes," said Johnathan Nightingale, Senior Director of Firefox Engineering.follow Ryan Naraine on twitter

Researchers hack into newest Firefox with zero-day flaw ]

Mozilla had originally delayed the release of Firefox 11 to wait for the Pwn2Own vulnerability details but once the open-source group realized it was the same issue that was identified by researcher Jeff Walden, the patch was pushed out the door.

The vulnerability was described as a "memory safety problem in the array.join function" and was bundled into a security advisory that carries a critical rating.  At Pwn2Own, researchers Willem Pinckaers and Vincenzo Iozzo exploited the flaw to launch a remote code execution attack that required no user action beyond browsing to a rigged web page.

[ SEE: Ten little things to secure your online presence ]

Here's a listing of the vulnerabilities fixed with this Firefox update:

  • MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
  • MFSA 2012-18 window.fullScreen writeable by untrusted content
  • MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification
  • MFSA 2012-16 Escalation of privilege with Javascript: URL as home page
  • MFSA 2012-15 XSS with multiple Content Security Policy headers
  • MFSA 2012-14 SVG issues found with Address Sanitizer
  • MFSA 2012-13 XSS with Drag and Drop and Javascript: URL
  • MFSA 2012-12 Use-after-free in shlwapi.dll

Firefox 11 is available for via the browser's software update utility.

ALSO SEE:

  • Teenager hacks Google Chrome with three 0day vulnerabilities
  • Pwn2Own 2012: Google Chrome browser sandbox first to fall
  • CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
  • Charlie Miller skipping Pwn2Own as new rules change hacking game
  • CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover
  • How Google set a trap for Pwn2Own exploit team
  • Researchers hack into newest Firefox with zero-day flaw
  • Video: Microsoft responds to Pwn2Own IE hack
  • Topic: Browser

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

    Talkback

    3 comments
    Log in or register to join the discussion
    • Mozilla knew of Pwn2Own bug before CanSecWest

      Thanks for the info, just updated to FF 11.
      Loverock Davidson-
    • reply

      If you are looking to purchase Monster High dolls then you can purchase from here- http://buymonsterhighdolls.com
      techrahul
    • Agreed

      I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts.Thanks.http://www.youtube.com/watch?v=oZcFVqOPuQE
      gladgame