Mozilla confirms critical Firefox bug

Slates patch for March 30; flaw can't be used in upcoming Pwn2Own hack contest

Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.

Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.

"The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix."

Firefox 3.6, which Mozilla launched in January, is affected, Mozilla said, adding that it would be patched in version 3.6.2, currently slated to ship on March 30.

The bug was disclosed by Russian researcher Evgeny Legerov a month ago in a message posted on a forum hosted by Immunity, the Miami Beach, Fla. developer best known for its Canvas penetration testing framework. Legerov works for Moscow-based Intevydis, which produces the VulnDisco add-on for Canvas.

Legerov did not publish attack code, and initially refused to provide details to Mozilla, according to a March 4 entry he posted on his blog. "I've ignored e-mails ... from Mozilla, please do not waste my and your time anymore," Legerov wrote. The blog has since been deleted, but is still available via Google's cache .

In comments appended to a vulnerability alert published by Danish bug tracker Secunia, several users questioned Legerov's motives for making the announcement, while others chided Secunia for not thoroughly testing the flaw or claimed that it was all a hoax.

Mozilla yesterday said Legerov had eventually sent them "sufficient details to reproduce and analyze the issue."

Until the March 30 patch is released, users can upgrade Firefox to the beta of version 3.6.2, which includes the fix, by downloading the preview .

Although Apple and Google have recently updated Safari and Chrome , respectively -- beefing up the browsers' security before the $100,000 Pwn2Own hacking contest starts March 24 -- the version of Firefox that will be used in the challenge will lack the patch for Legerov's vulnerability. Pwn2Own will pit only production versions of Chrome, Firefox, Internet Explorer (IE) and Safari against the hacking talents of researchers.

However, that doesn't mean hackers will be able to use the bug to claim one of the $10,000 prizes for successfully exploiting Firefox. "We will have our entire research team on-site so that we can do our best to ensure that known issues such as this one do not turn up at our contest," said Aaron Portnoy, a research team lead with 3Com TippingPoint, the company sponsoring Pwn2Own.

Portnoy, who organized the fourth annual contest, has predicted that Microsoft 's IE8 will be the first browser to fall during the three-day event.

Mozilla will also patch Firefox 3.0 (with 3.0.19) and Firefox 3.5 (with 3.5.9) on March 30. Firefox 3.0.19 will be the final security update for the browser Mozilla debuted in mid-2008.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

metatag data

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags exploits and vulnerabilitiesFirefoxsecuritybrowserspwn2own

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?