We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Mozilla follows Google, patches Firefox as prep for Pwn2Own

Quashes 11 bugs, including CSRF flaw that worried Adobe

Mozilla has followed in rival Google's footsteps and patched 11 security flaws in its Firefox browser before a hacking contest kicks off next week.

Nine of the 11 flaws were rated 'critical', a threat rating that implies hackers could use the vulnerabilities to compromise a computer or infect it with malware. Of the two remaining bugs, one was labelled 'high' and the second was tagged as 'moderate'.

The updates, which brought the open-source browser to versions 3.6.14 and 3.5.17, were the first since December, a longer-than-usual span between Mozilla patch shipments. Part of the reason was that the updates were delayed. They had been slated to show in mid-February, but Mozilla held them to investigate a non-security bug that caused some users' browsers to crash.

The new patches address three JavaScript flaws, two bugs in Firefox's browser engine, a JPEG rendering vulnerability that could be exploited by serving a malicious image to users, and a cross-site forgery request (CSRF) bug.

An Adobe security researcher reported the CSRF vulnerability, which was the issue rated high, Mozilla said in its patch notes. According to information posted on a security mailing list last month, the CSRF bug can be exploited in several browsers - Firefox, Apple's Safari and Google's Chrome - using a malformed Flash file.

Previously, Mozilla developers had reported that Adobe was pressing them to issue a patch for the CSRF bug.

The security update reaches users eight days before Pwn2Own, the annual hacking contest held at the CanSecWest security conference. Pwn2Own begins March 9, when security researchers will compete for $65,000 in prizes by trying to take down the most up-to-date production editions of Firefox, Chrome, Safari and Microsoft's Internet Explorer.

Google patched 19 bugs in Chrome this week, making Firefox the second of the four targeted browsers to get a last-minute security polish before the challenge.

Last year, Google and Apple updated their browsers just days before Pwn2Own, but Mozilla did not. Instead, Mozilla acknowledged a critical vulnerability in Firefox less than a week before 2010's contest, but said it wouldn't fix the flaw until after its conclusion. Pwn2Own organizers then ruled that hackers would not be allowed to use the vulnerability to exploit Firefox.

Firefox 3.6.14, the version that will be attacked at Pwn2Own, will soon be displaced by Firefox 4, which entered its final beta this week. Mozilla is moving toward a 'release candidate' build, and unless unexpected problems pop up, will probably ship the browser this month.

Users can update to Firefox 3.6.14 by downloading the new edition or by selecting 'Check for Updates' from the Help menu in the browser. Firefox 3.5 users can obtain version 3.5.17 with the update tool.

See also: 4 free Firefox extensions for business


IDG UK Sites

Samsung Galaxy S5 mini vs HTC One mini 2 comparison review: Design and price beats additional...

IDG UK Sites

Why local multiplayer gaming is rapidly vanishing: we look at the demise of split-screen and LAN...

IDG UK Sites

Colour-depth not resolution is what will make 4K a success or failure

IDG UK Sites

iPhone 6 vs iPhone 6 Plus: Which new iPhone 6 model should I buy?