The Pwn2own security challenge is an annual competition in which hackers and security experts from all over the world try to beat the protection of software and mobile devices. Winners of the contest not only get prize money for their efforts, but can also keep the devices they successfully exploited.
This year, all three major browsers - Internet Explorer, Google Chrome and Mozilla Firefox - were successfully exploited by security experts. As far as Firefox goes, security firm VUPEN managed to exploit the browser using a "use-after-free" memory flaw that it combined with an ASLR/DEP memory exploit. Both ASLR and DEP are part of the Windows operating system that help protect the system's memory against exploits.
If you are a user of Firefox you may have noticed that a new version is available already, bringing the version of Firefox on the stable channel to 19.0.2 The patch is a direct result of the Pwn2own exploit that was used by Vupen to exploit the Firefox web browser on Windows.
It is remarkable that Mozilla managed to create and release a patch for the exploit less than 24 hours after the results were announced. While it is certainly possible that the company got word about the exploit earlier than that, it is still a fast turnaround time for a security patch.
The Firefox 19.0.2 release notes highlight that this is the only change in this version of the browser. The release notes link to a security advisory page that offers the following additional information:
VUPEN Security, via TippingPoint's Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the
document.execCommand()function while internal editor operations are occurring. This could allow for arbitrary code execution.
It also highlights that Thunderbird and SeaMonkey also received a fix to resolve the security issue.
The Firefox 19.0.2 release raises the version of all Firefox releases to 19.0.2. You may remember that the 19.0.1 update was only released to users of the Windows 8 operating system, while all other users of Firefox remained on 19.0..
If you did not receive the automatic update yet, click on Firefox > Help > About Firefox to run a manual update check instead. You can alternatively download the latest version from Mozilla directly. There you also find downloads for all other products affected by the vulnerability.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.