With Pwn2Own looming, Mozilla and Google ship browser patches

With Pwn2Own looming, Mozilla and Google ship browser patches

Summary: Less than a week before the annual CanSecWest Pwn2Own hacker challenge, two major browser vendors have shipped major updates to fix gaping security holes.

SHARE:
TOPICS: Security, Browser, Google
15

Less than a week before the annual CanSecWest Pwn2Own hacker challenge, two major browser vendors have shipped major updates to fix gaping security holes.

The latest updates from Mozilla Firefox and Google Chrome covers flaws that could lead to remote code execution attacks, according to separate advisories issued this week.

The release of the patches -- Firefox 3.6.14 and Google Chrome 9.0.597.107 (all platforms) -- is quite possibly not linked to the Pwn2Own contest, which encourages security researchers to hack into the major browsers but it is typical for software vendors to issue monster patches just ahead of the challenge every year.

This year's contest includes an actual challenge by Google for hackers to attempt to break out of the Chrome sandbox.  Google is putting up a $20,000 cash prize for any hacker who can successfully compromise a Windows 7 machine via a vulnerability — and sandbox escape — in Chrome.follow Ryan Naraine on twitter

Earlier this week, Google shipped a major security makeover that included $14,000 is cash payments to bug finders.  This mega-patch covered a total of 18 security holes, most rated "high-risk."    Google said it has paid in excess of $100,000 to researchers as part of its bug bounty program.

Separately, Mozilla shipped a new Firefox version to fix the following:

  • MFSA 2011-10 CSRF risk with plugins and 307 redirects
  • MFSA 2011-09 Crash caused by corrupted JPEG image
  • MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
  • MFSA 2011-07 Memory corruption during text run construction (Windows)
  • MFSA 2011-06 Use-after-free error using Web Workers
  • MFSA 2011-05 Buffer overflow in JavaScript atom map
  • MFSA 2011-04 Buffer overflow in JavaScript upvarMap
  • MFSA 2011-03 Use-after-free error in JSON.stringify
  • MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
  • MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

Eight of the 10 Mozilla issues are rated "critical," meaning they can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing.\

Firefox and Chrome both have automatic update mechanisms to deploy these patches.

If history holds true, look for Apple to ship a bumper Safari patch early next week.

Topics: Security, Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • So they did only because of Pwn2Own

    and not because they care about end user.

    I'll go with that with Google, not Mozilla. for Mozilla it was just timing, with Google my guess is that Pwn2Own forced them to.
    Will Farrell
    • subjective much?

      @Will Farrell
      UrNotPayingAttention
  • RE: With Pwn2Own looming, Mozilla and Google ship browser patches

    Mozilla Firefox is out with 3.6.15 as I type.
    Chiatzu
    • RE: With Pwn2Own looming, Mozilla and Google ship browser patches

      @Chiatzu
      Yep that is what it installed here.
      3.6.15
      MoeFugger
  • So lets start having Pwn2Own on a monthly basis :-)

    will IE9 RC be included?
    Johnny Vegas
  • RE: With Pwn2Own looming, Mozilla and Google ship browser patches

    Apple probably slipped a few through via the recent iTunes update.<br><br>It all hinges on whether they've covered the holes that have been worked on for months, prior to the event.<br><br>Can you use pdf's in this pwn2own thing or would that make it too easy?
    alsobannedfromzdnet
    • from what i understand...

      @alsobannedfromzdnet

      no .pdf's, no .swf, etc., on the first day. browser only.

      on the second day, it opens up to add-ins. of course, the reward dwindles as well.
      UrNotPayingAttention
  • RE: With Pwn2Own looming, Mozilla and Google ship browser patches

    Microsoft feels confident with IE9 or IE8 that they did not released an update before pwn2own?
    iluvmsft
    • Not likely

      @iluvmsft It is more probable that MS figure the brand new attempt to catchup with the rest is not good enough and they don't want the version tarnished just before it is officially released.

      Given MS's history on pwn2own I honestly doubt it would make any difference anyway.
      wackoae
      • Agreed. The fact that others are easily hacked before Microsoft

        @wackoae
        It makes sense not to worry.
        :|
        Tim Cook
    • RE: With Pwn2Own looming, Mozilla and Google ship browser patches

      @iluvmsft

      I doubt IE9 RC has a high enough market share to meet the bar for inclusion in Pwn2Own. I suppose there's still time for an IE8 update, but Microsoft may not be all that interested in focusing on it, since IE9 is on the way, and has so many code changes.

      Before last year's Pwn2Own, Charlie Miller gave his opinion that Chrome and IE8 are probably the most secure browsers anyway. However, he also said that the differences between browsers are too small to get worked up about, and that the real key to a secure browser is to not install Flash.

      In response to a question about Linux, Miller commented that Linux is 'no harder', and 'probably easier' to hack than Windows or Mac OS, but that the organisers of Pwn2Own don't include it because hardly anyone uses it on the desktop. Opera is excluded for the same reason.

      http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/
      WilErz
      • Message has been deleted.

        LTV10
      • What the hell was that deleted for?

        Charlie Miller talking nonsense?

        [i]In response to a question about Linux, Miller commented that Linux is 'no harder', and 'probably easier' to hack than Windows or Mac OS, but that the organisers of Pwn2Own don't include it because hardly anyone uses it on the desktop.[/i]

        That is just plain false. They couldn't "hack" it because they don't know how to. If Miller says it's "probably easier" to hack than windoze, then why hasn't he done it yet? Why isn't he the first in the history books to do so?

        Because he can't, that's why.

        Is zdnet afraid of the truth here or what...
        LTV10
  • RE: With Pwn2Own looming, Mozilla and Google ship browser patches

    Apparently they were tired of losing to microsoft! Look at the bright side though, everybody beat Apple! :-D
    slickjim
    • There is no consolation in that

      @Peter Perry
      It is much like an NBA player having a freethrow match against a three year old.
      There is no challenge in that, so there is really no satisfaction in winning.
      :|
      Tim Cook