With Pwn2Own looming, Mozilla and Google ship browser patches
Less than a week before the annual CanSecWest Pwn2Own hacker challenge, two major browser vendors have shipped major updates to fix gaping security holes.
The latest updates from Mozilla Firefox and Google Chrome covers flaws that could lead to remote code execution attacks, according to separate advisories issued this week.
The release of the patches -- Firefox 3.6.14 and Google Chrome 9.0.597.107 (all platforms) -- is quite possibly not linked to the Pwn2Own contest, which encourages security researchers to hack into the major browsers but it is typical for software vendors to issue monster patches just ahead of the challenge every year.
This year's contest includes an actual challenge by Google for hackers to attempt to break out of the Chrome sandbox. Google is putting up a $20,000 cash prize for any hacker who can successfully compromise a Windows 7 machine via a vulnerability — and sandbox escape — in Chrome.
Earlier this week, Google shipped a major security makeover that included $14,000 is cash payments to bug finders. This mega-patch covered a total of 18 security holes, most rated "high-risk." Google said it has paid in excess of $100,000 to researchers as part of its bug bounty program.
Separately, Mozilla shipped a new Firefox version to fix the following:
- MFSA 2011-10 CSRF risk with plugins and 307 redirects
- MFSA 2011-09 Crash caused by corrupted JPEG image
- MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
- MFSA 2011-07 Memory corruption during text run construction (Windows)
- MFSA 2011-06 Use-after-free error using Web Workers
- MFSA 2011-05 Buffer overflow in JavaScript atom map
- MFSA 2011-04 Buffer overflow in JavaScript upvarMap
- MFSA 2011-03 Use-after-free error in JSON.stringify
- MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
- MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
Eight of the 10 Mozilla issues are rated "critical," meaning they can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing.\
Firefox and Chrome both have automatic update mechanisms to deploy these patches.
If history holds true, look for Apple to ship a bumper Safari patch early next week.