As has been the case in prior years, Mozilla is the first vendor to patch its browser for vulnerabilities first disclosed at Hewlett-Packard’s Pwn2Own browser-hacking contest. Every year, major browsers that the vendors have fully patched beforehand are found to be exploitable, and 2015 was no exception.
At the 2015 Pwn2Own event on March 18 and 19, Microsoft’s Internet Explorer, Google Chrome, Apple Safari and Mozilla Firefox were all exploited by security researchers. As of March 23, Mozilla is the only browser vendor to have issued an update to fix the flaws.
Mozilla released Firefox 36.0.3 on March 20, with the intention of providing fixes for the security issues that were first disclosed at Pwn2Own 2013. However, Mozilla quickly discovered that one of the fixes was not complete and released Firefox 36.0.4 on March 21 providing an update. The updated fix in Firefox 36.0.4 is for a vulnerability identified as CVE-2015-0818, which is a same origin-bypass issue that was demonstrated by researcher Mariusz Mylnski on March 18.
Firefox was also patched for CVE-2015-0817, which is a JavaScript exploit demonstrated by a security researcher only known as ilxu1a.
“Security researcher ilxu1a reported, through HP Zero Day Initiative’s Pwn2Own contest, a flaw in Mozilla’s implementation of typed array bounds checking in JavaScript just-in-time compilation (JIT) and its management of bounds checking for heap access,” Mozilla warns in its advisory. “This flaw can be leveraged into the reading and writing of memory allowing for arbitrary code execution on the local system.”
As to why Mozilla didn’t quite get the CVE-2015-0818 fix right the first time with Firefox 36.0.3, Dan Veditz, principal security engineer at Mozilla, explained that it can take a significant amount of time to build Firefox and run acceptance tests on three or more configurations, across all supported platforms and over 70 localized versions.
“Once we had fixes that stopped the two Pwn2Own exploits, we started the 36.0.3 build and release process while we continued to test and investigate in parallel,” Veditz told eWEEK. “When we found the initial fix was incomplete, we added an additional patch to catch the variant, and shipped 36.0.4 to cover that.”
In terms of the other browsers that were exploited at Pwn2Own, neither Apple nor Google responded to a request for comment from eWEEK for this story about the timing or availability of patches. Microsoft generally doesn’t comment about specific update timing ahead of a security bulletin’s release, but a company representative did respond to eWEEK about the Pwn2Own issues.
“We are not aware of any active attacks from the privately disclosed Pwn2Own competition findings,” Microsoft stated in an email to eWEEK. “We will continue to work with the security community as needed to help protect our customers.”
Mozilla released Firefox 28 in March 2014, less than a week after the private disclosure of the vulnerabilities to HP at the 2014 Pwn2Own event. Microsoft patched its 2014 Pwn2Own flaws in June 2014.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.