Mozilla updates Firefox to 19.0.2 in response to Pwn2own issue
The Pwn2own security challenge is an annual competition in which hackers and security experts from all over the world try to beat the protection of software and mobile devices. Winners of the contest not only get prize money for their efforts, but can also keep the devices they successfully exploited.
This year, all three major browsers - Internet Explorer, Google Chrome and Mozilla Firefox -Â were successfully exploited by security experts. As far as Firefox goes, security firm VUPEN managed to exploit the browser using a "use-after-free" memory flaw that it combined with an ASLR/DEP memory exploit. Both ASLR and DEP are part of the Windows operating system that help protect the system's memory against exploits.
If you are a user of Firefox you may have noticed that a new version is available already, bringing the version of Firefox on the stable channel to 19.0.2 The patch is a direct result of the Pwn2own exploit that was used by Vupen to exploit the Firefox web browser on Windows.
It is remarkable that Mozilla managed to create and release a patch for the exploit less than 24 hours after the results were announced. While it is certainly possible that the company got word about the exploit earlier than that, it is still a fast turnaround time for a security patch.
The Firefox 19.0.2 release notes highlight that this is the only change in this version of the browser. The release notes link to a security advisory page that offers the following additional information:
VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by theÂ
document.execCommand()
function while internal editor operations are occurring. This could allow for arbitrary code execution.
It also highlights that Thunderbird and SeaMonkey also received a fix to resolve the security issue.
The Firefox 19.0.2 release raises the version of all Firefox releases to 19.0.2. You may remember that the 19.0.1 update was only released to users of the Windows 8 operating system, while all other users of Firefox remained on 19.0..
If you did not receive the automatic update yet, click on Firefox > Help > About Firefox to run a manual update check instead. You can alternatively download the latest version from Mozilla directly. There you also find downloads for all other products affected by the vulnerability.
Advertisement
It’s too bad that now Firefox doesn’t work very well. Will not restore previous tabs. Opens a number of icons on the taskbar that will not restore. Hopefully, more updates will follow soon.
@ilev Your sheer stupidity is amazing.
LOL at DEP and ASLR being a laughing stock. Many security professional recommends to enable it and even use EMET to force the applications to use DEP and ASLR.
Firefox updated through the browser >help-about ,yet Avast software updater says up to date with ver. 19.0 even a rescan did not find 19.2
19.0.2 doesn’t work at all.
Automatically upgraded. Automatically restarted. Now it just doesn’t browse.
I had to install chrome to get here.
Windows 7 version of IE10 is not affected.
http://news.softpedia.com/news/Microsoft-to-Patch-IE10-Flaws-that-Left-Windows-8-Open-to-Hackers-on-Tuesday-335562.shtml
@chris,
…We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges
http://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-at-cansecwest-2013/
Flash and Java has been hacked too .
“not only get price money for their efforts”
I imagine the word should be “prize”?
Right, corrected.
I was pretty sure that all plaforms got 19.0.1.
you can download 19.0.2 here: ftp://ftp.mozilla.org/pub/firefox/releases/19.0.2/win32/
VUPEN managed to exploit the browser using a use*-after-free memory flaw
Chrome, which according to Google hasn’t really got fully hacked (the hackers got trapped in VM and used a venerability in Windows 7), also got an update to new version Google Chrome 25.0.1364.160.
The same VUPEN Security has totally hacked into Surface Pro Windows 8, using 2 zero-day vulnerabilities in IE10, taking full control over Windows 8 pc. Microsoft hasn’t, and I don’t think it will, fix those zero-day security bugs until next Thursday updates.
lol, if google want to blame windows, then its sandbox isn’t working. When system goes down, claim browser is innocent is laughable, since it plays a trigger role.
LOL to you. The OS is always to blame no matter which application gets hacked. The OS should be immune against any attack from any application. Microsoft is stupid not to secure its OS, and even worse, adds to Windows security hoax elements like DEP, ASLR,MSE, Defender…..which are the laughing stock of the security community, but gives the users of Windows a false feeling that Windows is secure.
Correction, not VM , it should be got trapped in sandbox.
Updated.Do you know what are the exploits in Internet Explorer?
Only this: https://twitter.com/VUPEN/status/309479075385327617