Mozilla Releases Firefox 28, Fixes Vulnerabilities Presented at Pwn2Own


18 vulnerabilities fixed in Firefox

Firefox 28 is available for download. In addition to some new features and bug fixes, Mozilla has also addressed a number of security holes, including the ones disclosed by researchers at Pwn2Own 2014.

A total of 18 security issues have been fixed. Five of them are critical, three of them are high-impact, seven are moderate-impact, and three are minor security vulnerabilities.

All of the flaws presented at Pwn2Own are considered critical. They’ve been identified by Mariusz Mlynski, VUPEN, George Hotz (geohot) and Jüri Aedla.

Mlynski managed to execute arbitrary code in Firefox by loading a JavaScript URL executed with full privileges of the web browser.

For this, he leveraged a couple of bugs: one that allowed for untrusted web content to load a chrome-privileged page by getting JavaScript-implemented WebIDL to callwindow.open(), and one that allowed the bypassing of the pop-up blocker without any user interaction.

Aedla has managed to execute code by exploiting security holes leading to out-of-bounds reads and writes into the JavaScript heap. He accomplished this after discovering that “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use.”

An exploitable use-after-free issue was identified by VUPEN. Experts found that memory pressure during Garbage Collection could lead to memory corruption of TypeObjects in the JS engine.

Hotz has executed arbitrary code by causing an exploitable crash after leveraging an issue where values are copied from an array into a second, neutered array, which allows an out-of-bounds write into memory.

These vulnerabilities impact not only Firefox, but also Seamonkey and Thunderbird.

The fifth critical vulnerability fixed with the release of Firefox 28 is described as “miscellaneous memory safety hazards.”

The high-impact security holes refer to SVG filters information disclosure through feDisplacementMap, an information disclosure through polygon rendering in MathML, and out-of-bounds read during WAV file decoding.

Google fixed the vulnerabilities presented at Pwn2Own 2014 shortly after the hacking competition ended. It appears that Mozilla didn’t want to wait too much either. It remains to be seen when Microsoft will address the Internet Explorer security holes exploited by experts at Pwn2Own.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s