Mozilla First To Patch Pwn2Own Browser Vulnerability

Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."

MS already patched in IE8 final build

MS patched this on IE8 on Vista already before it published Mar 19. http://blogs.iss.net/archive/chicksdigIE8.html

XP hasn't been patched yet. Doesn't support DEP, so will be a bit more work.

Re:MS already patched in IE8 final build

Doesn't support DEP, so will be a bit more work.

DEP is supported on Windows XP since SP2.

Re:And this is a surprise?

Actually the IE8 exploit used during Pwn2Own contest wouldn't work on the final release of IE8 published one day later on the 19th of March.

http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure

Re:that's quick

[cbiltcliffe]

Could you get such fast service? Certainly.

With such minimal vetting? I doubt it. Only if you're a trusted submitter to the Mozilla tree. And if you were, you'd only get to pull a stunt like that once.

Re:And this is a surprise?

And did closed source helped ms to make more secure browser?

umm, yes.
the person who cracked safari on osx said that ie8 on vista was the toughest to exploit.

Re:And this is a surprise?

seven

Re:And this is a surprise?

[makomk]

Well, it wouldn't work on Vista on the final release of IE8, except on Intranet pages. Apparently, it still works on IE8 running under XP, still works on Intranet pages. The underlying vulnerability is still present on IE8 on all platforms, it's just that there's not currently any way to exploit it thanks to DEP and ASLR.

Re:And this is a surprise?

[icebraining]

On the other hand, Firefox on Linux wasn't exploited at all.

Re:And this is a surprise?

"Charlie: The NX bit is very powerful.When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me."

That has nothing to do with it being closed source.

OSX 10.3 blues

[Dog135]

That's funny, this is a story about the Open Source browser being patched before every other browser, and you're not seeing a benefit?

I'm not. I can't download the upgrade. I'm running OSX 10.3.9, and Firefox 2.0.0.1. Firefox 3.x requires 10.4.

OSS developers should think about those of us that are still happy with their older software! (or can't upgrade) I'm only 1 major version behind the current Firefox.

I'm not sure if I'm in danger of a drive-by download though. I do remember getting a few "exe" programs downloaded to my HD while visiting some shadier sites. I just laugh, delete it, and move on.

Re:OSX 10.3 blues

[Ant+P.]

If you're worried about security at all, why are you running a browser 19 security patches out of date?

Mac OS X != OSS

[tepples]

I can't download the upgrade. I'm running OSX 10.3.9, and Firefox 2.0.0.1. Firefox 3.x requires 10.4.

OSS developers should think about those of us that are still happy with their older software! (or can't upgrade)

Mac OS X is not open-source software. If you can't install Leopard or even Tiger on your PowerPC Mac, try installing a Linux distribution that supports your Mac model. I'm sure they still exist.