Mozilla kills Firefox Pwn2Own bug

Mozilla has won the race among browser makers to fix code execution holes exploited during this year's CanSecWest Pwn2Own hacker contest.The open-source group today shipped Firefox 3.

Mozilla has won the race among browser makers to fix code execution holes exploited during this year's CanSecWest Pwn2Own hacker contest.

The open-source group today shipped Firefox 3.0.8 with fixes for two separate vulnerabilities, including a drive-by download issue used by a hacker named "Nils" to win the Pwn2Own competition.  The update also fixes a zero-day flaw released earlier this week on a public exploit site. Both issues are rated "critical," Mozilla's highest severity rating.

[ SEE: Nils2Own: 'I want to see security flaws fixed' ]

The skinny:

  • MFSA 2009-13: Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim's computer. This vulnerability does not affect Firefox 2, Thunderbird 2, or released versions of SeaMonkey.
  • MFSA 2009-12: Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer. This vulnerability was also previously reported as a stability problem by Ubuntu community member, Andre. Ubuntu community member Michael Rooney reported Andre's findings to Mozilla, and Mozilla community member Martin helped reduce Andre's original testcase and contributed a patch to fix the vulnerability.

ALSO SEE: Exploit code sends Mozilla scrambling to fix Firefox