Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    Mozilla Patches Firefox for Pwn2Own Security Flaws

    Written by

    Sean Michael Kerner
    Published March 23, 2015
    Share
    Facebook
    Twitter
    Linkedin

      As has been the case in prior years, Mozilla is the first vendor to patch its browser for vulnerabilities first disclosed at Hewlett-Packard’s Pwn2Own browser-hacking contest. Every year, major browsers that the vendors have fully patched beforehand are found to be exploitable, and 2015 was no exception.

      At the 2015 Pwn2Own event on March 18 and 19, Microsoft’s Internet Explorer, Google Chrome, Apple Safari and Mozilla Firefox were all exploited by security researchers. As of March 23, Mozilla is the only browser vendor to have issued an update to fix the flaws.

      Mozilla released Firefox 36.0.3 on March 20, with the intention of providing fixes for the security issues that were first disclosed at Pwn2Own 2013. However, Mozilla quickly discovered that one of the fixes was not complete and released Firefox 36.0.4 on March 21 providing an update. The updated fix in Firefox 36.0.4 is for a vulnerability identified as CVE-2015-0818, which is a same origin-bypass issue that was demonstrated by researcher Mariusz Mylnski on March 18.

      Firefox was also patched for CVE-2015-0817, which is a JavaScript exploit demonstrated by a security researcher only known as ilxu1a.

      “Security researcher ilxu1a reported, through HP Zero Day Initiative’s Pwn2Own contest, a flaw in Mozilla’s implementation of typed array bounds checking in JavaScript just-in-time compilation (JIT) and its management of bounds checking for heap access,” Mozilla warns in its advisory. “This flaw can be leveraged into the reading and writing of memory allowing for arbitrary code execution on the local system.”

      As to why Mozilla didn’t quite get the CVE-2015-0818 fix right the first time with Firefox 36.0.3, Dan Veditz, principal security engineer at Mozilla, explained that it can take a significant amount of time to build Firefox and run acceptance tests on three or more configurations, across all supported platforms and over 70 localized versions.

      “Once we had fixes that stopped the two Pwn2Own exploits, we started the 36.0.3 build and release process while we continued to test and investigate in parallel,” Veditz told eWEEK. “When we found the initial fix was incomplete, we added an additional patch to catch the variant, and shipped 36.0.4 to cover that.”

      In terms of the other browsers that were exploited at Pwn2Own, neither Apple nor Google responded to a request for comment from eWEEK for this story about the timing or availability of patches. Microsoft generally doesn’t comment about specific update timing ahead of a security bulletin’s release, but a company representative did respond to eWEEK about the Pwn2Own issues.

      “We are not aware of any active attacks from the privately disclosed Pwn2Own competition findings,” Microsoft stated in an email to eWEEK. “We will continue to work with the security community as needed to help protect our customers.”

      Mozilla released Firefox 28 in March 2014, less than a week after the private disclosure of the vulnerabilities to HP at the 2014 Pwn2Own event. Microsoft patched its 2014 Pwn2Own flaws in June 2014.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.