Mozilla updates Firefox to 19.0.2 in response to Pwn2own issue - gHacks Tech News

Mozilla updates Firefox to 19.0.2 in response to Pwn2own issue

The Pwn2own security challenge is an annual competition in which hackers and security experts from all over the world try to beat the protection of software and mobile devices. Winners of the contest not only get prize money for their efforts, but can also keep the devices they successfully exploited.

This year, all three major browsers - Internet Explorer, Google Chrome and Mozilla Firefox -  were successfully exploited by security experts. As far as Firefox goes, security firm VUPEN managed to exploit the browser using a "use-after-free" memory flaw that it combined with an ASLR/DEP memory exploit. Both ASLR and DEP are part of the Windows operating system that help protect the system's memory against exploits.

If you are a user of Firefox you may have noticed that a new version is available already, bringing the version of Firefox on the stable channel to 19.0.2 The patch is a direct result of the Pwn2own exploit that was used by Vupen to exploit the Firefox web browser on Windows.

It is remarkable that Mozilla managed to create and release a patch for the exploit less than 24 hours after the results were announced. While it is certainly possible that the company got word about the exploit earlier than that, it is still a fast turnaround time for a security patch.

The Firefox 19.0.2 release notes highlight that this is the only change in this version of the browser. The release notes link to a security advisory page that offers the following additional information:

VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand()function while internal editor operations are occurring. This could allow for arbitrary code execution.

It also highlights that Thunderbird and SeaMonkey also received a fix to resolve the security issue.

The Firefox 19.0.2 release raises the version of all Firefox releases to 19.0.2. You may remember that the 19.0.1 update was only released to users of the Windows 8 operating system, while all other users of Firefox remained on 19.0..

If you did not receive the automatic update yet, click on Firefox > Help > About Firefox to run a manual update check instead. You can alternatively download the latest version from Mozilla directly. There you also find downloads for all other products affected by the vulnerability.

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Ficho said on March 8, 2013 at 5:13 am
    Reply

    Updated.Do you know what are the exploits in Internet Explorer?

    1. Martin Brinkmann said on March 8, 2013 at 5:19 am
      Reply
  2. ilev said on March 8, 2013 at 5:21 am
    Reply

    Chrome, which according to Google hasn’t really got fully hacked (the hackers got trapped in VM and used a venerability in Windows 7), also got an update to new version Google Chrome 25.0.1364.160.

    The same VUPEN Security has totally hacked into Surface Pro Windows 8, using 2 zero-day vulnerabilities in IE10, taking full control over Windows 8 pc. Microsoft hasn’t, and I don’t think it will, fix those zero-day security bugs until next Thursday updates.

    1. ilev said on March 8, 2013 at 5:24 am
      Reply

      Correction, not VM , it should be got trapped in sandbox.

    2. chris said on March 8, 2013 at 7:03 am
      Reply

      lol, if google want to blame windows, then its sandbox isn’t working. When system goes down, claim browser is innocent is laughable, since it plays a trigger role.

      1. ilev said on March 8, 2013 at 11:14 am
        Reply

        LOL to you. The OS is always to blame no matter which application gets hacked. The OS should be immune against any attack from any application. Microsoft is stupid not to secure its OS, and even worse, adds to Windows security hoax elements like DEP, ASLR,MSE, Defender…..which are the laughing stock of the security community, but gives the users of Windows a false feeling that Windows is secure.

  3. Nicolai said on March 8, 2013 at 7:49 am
    Reply

    VUPEN managed to exploit the browser using a use*-after-free memory flaw

  4. insanelyapple said on March 8, 2013 at 7:57 am
    Reply

    I was pretty sure that all plaforms got 19.0.1.

    1. Searcher said on March 8, 2013 at 11:00 am
      Reply
  5. Mitch said on March 8, 2013 at 1:24 pm
    Reply

    “not only get price money for their efforts”

    I imagine the word should be “prize”?

    1. Martin Brinkmann said on March 8, 2013 at 1:43 pm
      Reply

      Right, corrected.

  6. ilev said on March 8, 2013 at 1:45 pm
    Reply

    @chris,

    …We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges

    http://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-at-cansecwest-2013/

    Flash and Java has been hacked too .

  7. Andrew said on March 8, 2013 at 2:58 pm
    Reply

    19.0.2 doesn’t work at all.
    Automatically upgraded. Automatically restarted. Now it just doesn’t browse.
    I had to install chrome to get here.

  8. rickxs said on March 8, 2013 at 5:00 pm
    Reply

    Firefox updated through the browser >help-about ,yet Avast software updater says up to date with ver. 19.0 even a rescan did not find 19.2

  9. Conan said on March 9, 2013 at 6:26 am
    Reply

    @ilev Your sheer stupidity is amazing.
    LOL at DEP and ASLR being a laughing stock. Many security professional recommends to enable it and even use EMET to force the applications to use DEP and ASLR.

  10. Lisa said on March 28, 2013 at 1:01 pm
    Reply

    It’s too bad that now Firefox doesn’t work very well. Will not restore previous tabs. Opens a number of icons on the taskbar that will not restore. Hopefully, more updates will follow soon.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.