Mozilla updates Firefox to 19.0.2 in response to Pwn2own issue

Martin Brinkmann
Mar 8, 2013
Updated • Mar 8, 2013

The Pwn2own security challenge is an annual competition in which hackers and security experts from all over the world try to beat the protection of software and mobile devices. Winners of the contest not only get prize money for their efforts, but can also keep the devices they successfully exploited.

This year, all three major browsers - Internet Explorer, Google Chrome and Mozilla Firefox -  were successfully exploited by security experts. As far as Firefox goes, security firm VUPEN managed to exploit the browser using a "use-after-free" memory flaw that it combined with an ASLR/DEP memory exploit. Both ASLR and DEP are part of the Windows operating system that help protect the system's memory against exploits.

If you are a user of Firefox you may have noticed that a new version is available already, bringing the version of Firefox on the stable channel to 19.0.2 The patch is a direct result of the Pwn2own exploit that was used by Vupen to exploit the Firefox web browser on Windows.

It is remarkable that Mozilla managed to create and release a patch for the exploit less than 24 hours after the results were announced. While it is certainly possible that the company got word about the exploit earlier than that, it is still a fast turnaround time for a security patch.

The Firefox 19.0.2 release notes highlight that this is the only change in this version of the browser. The release notes link to a security advisory page that offers the following additional information:

VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand()function while internal editor operations are occurring. This could allow for arbitrary code execution.

It also highlights that Thunderbird and SeaMonkey also received a fix to resolve the security issue.

The Firefox 19.0.2 release raises the version of all Firefox releases to 19.0.2. You may remember that the 19.0.1 update was only released to users of the Windows 8 operating system, while all other users of Firefox remained on 19.0..

If you did not receive the automatic update yet, click on Firefox > Help > About Firefox to run a manual update check instead. You can alternatively download the latest version from Mozilla directly. There you also find downloads for all other products affected by the vulnerability.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Lisa said on March 28, 2013 at 1:01 pm

    It’s too bad that now Firefox doesn’t work very well. Will not restore previous tabs. Opens a number of icons on the taskbar that will not restore. Hopefully, more updates will follow soon.

  2. Conan said on March 9, 2013 at 6:26 am

    @ilev Your sheer stupidity is amazing.
    LOL at DEP and ASLR being a laughing stock. Many security professional recommends to enable it and even use EMET to force the applications to use DEP and ASLR.

  3. rickxs said on March 8, 2013 at 5:00 pm

    Firefox updated through the browser >help-about ,yet Avast software updater says up to date with ver. 19.0 even a rescan did not find 19.2

  4. Andrew said on March 8, 2013 at 2:58 pm

    19.0.2 doesn’t work at all.
    Automatically upgraded. Automatically restarted. Now it just doesn’t browse.
    I had to install chrome to get here.

  5. Ficho said on March 8, 2013 at 2:07 pm
  6. ilev said on March 8, 2013 at 1:45 pm


    …We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges

    Flash and Java has been hacked too .

  7. Mitch said on March 8, 2013 at 1:24 pm

    “not only get price money for their efforts”

    I imagine the word should be “prize”?

    1. Martin Brinkmann said on March 8, 2013 at 1:43 pm

      Right, corrected.

  8. insanelyapple said on March 8, 2013 at 7:57 am

    I was pretty sure that all plaforms got 19.0.1.

    1. Searcher said on March 8, 2013 at 11:00 am
  9. Nicolai said on March 8, 2013 at 7:49 am

    VUPEN managed to exploit the browser using a use*-after-free memory flaw

  10. ilev said on March 8, 2013 at 5:21 am

    Chrome, which according to Google hasn’t really got fully hacked (the hackers got trapped in VM and used a venerability in Windows 7), also got an update to new version Google Chrome 25.0.1364.160.

    The same VUPEN Security has totally hacked into Surface Pro Windows 8, using 2 zero-day vulnerabilities in IE10, taking full control over Windows 8 pc. Microsoft hasn’t, and I don’t think it will, fix those zero-day security bugs until next Thursday updates.

    1. chris said on March 8, 2013 at 7:03 am

      lol, if google want to blame windows, then its sandbox isn’t working. When system goes down, claim browser is innocent is laughable, since it plays a trigger role.

      1. ilev said on March 8, 2013 at 11:14 am

        LOL to you. The OS is always to blame no matter which application gets hacked. The OS should be immune against any attack from any application. Microsoft is stupid not to secure its OS, and even worse, adds to Windows security hoax elements like DEP, ASLR,MSE, Defender…..which are the laughing stock of the security community, but gives the users of Windows a false feeling that Windows is secure.

    2. ilev said on March 8, 2013 at 5:24 am

      Correction, not VM , it should be got trapped in sandbox.

  11. Ficho said on March 8, 2013 at 5:13 am

    Updated.Do you know what are the exploits in Internet Explorer?

    1. Martin Brinkmann said on March 8, 2013 at 5:19 am

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.