Mozilla Patches Firefox 28 Pwn2Own Flaws, Adds Gamepad API Support

Mozilla patches zero-day flaws less than a week after they're first reported and adds new capabilities to the open-source Web browser.

Mozilla is out today with its latest Firefox Web browser release, fixing security vulnerabilities and providing new capabilities to end users and developers.

Firefox 28 patches all four zero-day vulnerabilities that were disclosed during the Hewlett-Packard Pwn2Own event last week. HP awarded security researchers $50,000 each, for a total of $200,000, for the four zero-days that are now patched in Firefox 28.

Johnathan Nightingale, vice president of Firefox at Mozilla, told eWEEK that Mozilla implemented all of the fixes over the weekend so they could be included in today's Firefox 28 release. Although the four zero-day flaws were first reported on March 19 and March 20, they were not being exploited in the wild. HP has a responsible disclosure process for Pwn2Own vulnerabilities and has not publicly disclosed the flaws.

From a features perspective, the Firefox 28 update had been anticipated to include Mozilla's first real attempt at a native Windows Modern UI (formerly known as Metro) interface. Nightingale decided to terminate the Firefox for Metro effort last week after coming to the conclusion that Mozilla's resources would be better utilized elsewhere.

While Firefox 28 does not have a Metro interface, it is still available as a normal Windows application, as an alternative to Microsoft's Internet Explorer Web browser. IE was also targeted by security researchers at the Pwn2Own event, though Microsoft has yet to patch its browser for the reported zero-day flaws.


One of Firefox 28's new features is support for the Gamepad API, which could enable a new era of browser-based gaming.

"The Gamepad API enables access to generic game controllers; no specific vendor's hardware is needed," Nightingale said.

The Gamepad API has been available to Mozilla users as a configuration option since the Firefox 24 release in September 2013. Firefox 28 for the first time, however, makes the Gamepad API available by default to all users, though it's a technology that doesn't yet enjoy much adoption.

"Few Web games use the Gamepad API currently because of spotty support, but we're hoping that now with both Firefox and Chrome supporting it, we'll see developers taking advantage of it," Nightingale said. "It will become even more important now that we're seeing a lot of interest in bringing high-end games to the Web via WebGL and asm.js."

WebGL (Web Graphics Library) and asm.js are evolving Web technologies that are set to bring console-level gaming to the Web browser. Mozilla has been working with game development companies to further enable Firefox browser support. In March 2013, Mozilla announced a partnership with Epic Games to leverage WebGL and asm.js for the Unreal game development engine. Mozilla is now working with Epic's rival Unity to enable Unity developers to run their games directly inside the Firefox browser as well.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.