As has been the case in prior years, Mozilla is the first vendor to patch its browser for vulnerabilities first disclosed at Hewlett-Packard’s Pwn2Own browser-hacking contest. Every year, major browsers that the vendors have fully patched beforehand are found to be exploitable, and 2015 was no exception.
At the 2015 Pwn2Own event on March 18 and 19, Microsoft’s Internet Explorer, Google Chrome, Apple Safari and Mozilla Firefox were all exploited by security researchers. As of March 23, Mozilla is the only browser vendor to have issued an update to fix the flaws.
Mozilla released Firefox 36.0.3 on March 20, with the intention of providing fixes for the security issues that were first disclosed at Pwn2Own 2013. However, Mozilla quickly discovered that one of the fixes was not complete and released Firefox 36.0.4 on March 21 providing an update. The updated fix in Firefox 36.0.4 is for a vulnerability identified as CVE-2015-0818, which is a same origin-bypass issue that was demonstrated by researcher Mariusz Mylnski on March 18.
As to why Mozilla didn’t quite get the CVE-2015-0818 fix right the first time with Firefox 36.0.3, Dan Veditz, principal security engineer at Mozilla, explained that it can take a significant amount of time to build Firefox and run acceptance tests on three or more configurations, across all supported platforms and over 70 localized versions.
“Once we had fixes that stopped the two Pwn2Own exploits, we started the 36.0.3 build and release process while we continued to test and investigate in parallel,” Veditz told eWEEK. “When we found the initial fix was incomplete, we added an additional patch to catch the variant, and shipped 36.0.4 to cover that.”
In terms of the other browsers that were exploited at Pwn2Own, neither Apple nor Google responded to a request for comment from eWEEK for this story about the timing or availability of patches. Microsoft generally doesn’t comment about specific update timing ahead of a security bulletin’s release, but a company representative did respond to eWEEK about the Pwn2Own issues.
“We are not aware of any active attacks from the privately disclosed Pwn2Own competition findings,” Microsoft stated in an email to eWEEK. “We will continue to work with the security community as needed to help protect our customers.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.