Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla First To Patch Pwn2Own Browser Vulnerability

Posted by Soulskill on from the comparatively-quick dept.

Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."

7 of 141 comments (clear)

  1. Re:And this is a surprise? by drinkypoo · · Score: 4, Insightful

    I also thought that open source had a built in Plan B that if a hole was found, anyone could submit a patch and it would get folded in as soon as it was reviewed and approved.

    That's funny, this is a story about the Open Source browser being patched before every other browser, and you're not seeing a benefit?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. BAH! by iminplaya · · Score: 5, Insightful

    The contestants already have next year's winning exploit waiting in the wings. Maybe we should have these contests every month instead of once a year.

    --
    What?
  3. Re:And this is a surprise? by Anonymous Coward · · Score: 1, Insightful

    How many stories on Slashdot are surprising?

  4. There is a second benefit by Colin+Smith · · Score: 2, Insightful

    Of having discrete components, and of modular operating systems.

    Mozilla isn't integrated into the OS, so they can just fix bugs. IE is "integrated into the OS" which means they can't simply fix bugs, they've got to make sure the rest of the big ball of mud OS continues to work as well.

     

    --
    Deleted
  5. Re:And this is a surprise? by Anonymous Coward · · Score: 1, Insightful

    On the other hand, Firefox on Linux wasn't exploited at all.

    Yes, but there wasn't a Linux box. IE 4 on Windows 95 wasn't exploited during the contest either... does that prove anything?

  6. Re:BULLSHIT. by Anonymous Coward · · Score: 2, Insightful

    It was only immune in the internet zone, due to MS disabling .net controls in that zone. The bug still exists and is fully exploitable in the intranet zone. Also, IE has had a long history of cross-zone-scripting bugs which allow an attacker to run js code in a different protection zone than it really exists in. If you trick IE into thinking your code is in the intranet zone, this vulnerability opens right up.

  7. Re:First post. by Thinboy00 · · Score: 2, Insightful

    The whole point of Betas is that they have bugs etc. and haven't been tested. If you care about security, you shouldn't use a Beta. If you don't care, why are you asking?

    --
    $ make available