Mozilla First To Patch Pwn2Own Browser Vulnerability

Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."

Re:First post.

[MightyYar]

Yeah, but internet browsing just doesn't feel as exciting without the risk. Back to unpatched XP with IE6 for me...

BAH!

[iminplaya]

The contestants already have next year's winning exploit waiting in the wings. Maybe we should have these contests every month instead of once a year.

Re:Seen how insecure web browsers are...

[siride]

You could try not freaking the fuck out about browser security, unless you plan on visiting Russian spam sites and whatnot. I use Firefox on Linux and I've never had an issue. I use Flashblock, Adblock and occasionally Noscript. Just exercise reasonable caution and you should be fine. Heck, even under Windows I never got viruses or spyware, and I used IE!

Re:MS already patched in IE8 final build

Doesn't support DEP, so will be a bit more work.

DEP is supported on Windows XP since SP2.

Re:And this is a surprise?

[makomk]

Well, it wouldn't work on Vista on the final release of IE8, except on Intranet pages. Apparently, it still works on IE8 running under XP, still works on Intranet pages. The underlying vulnerability is still present on IE8 on all platforms, it's just that there's not currently any way to exploit it thanks to DEP and ASLR.

Re:And this is a surprise?

[icebraining]

On the other hand, Firefox on Linux wasn't exploited at all.