Mozilla beats rivals, patches Firefox's Pwn2Own bug

Credit to Author: Gregg Keizer| Date: Mon, 20 Mar 2017 17:26:00 -0700

Mozilla last week patched a Firefox vulnerability just a day after it was revealed during Pwn2Own, the first vendor to fix a flaw disclosed at the hacking contest.

“Congrats to #Mozilla for being the first vendor to patch vuln[erability] disclosed during #Pwn2Own,” tweeted the Zero Day Initiative (ZDI) Monday. ZDI, the bug brokerage run by Trend Micro, sponsored Pwn2Own.

Mozilla released Firefox 52.0.1 on Friday, March 17, with a patch for the integer overflow bug that Chaitin Security Research Lab leveraged in an exploit at Pwn2Own on Thursday, March 16. The Beijing-based group was awarded $30,000 by ZDI for the exploit, which combined the Firefox bug with one in the Windows kernel.

The vulnerability was rated “Critical” by Mozilla in an accompanying description. As usual, the company masked the technical details of the bug to outsiders.

Chaitin was just one of several Chinese security teams that participated in Pwn2Own, again held at the annual CanSecWest conference in Vancouver, B.C., Canada. The group took third place among the participants, and won a total of $90,000 in prize money.

Firefox was not the only browser to fall at Pwn2Own. Apple’s Safari was hacked four times at the contest, and Microsoft’s Edge was exploited five times during the three-day event. Google’s Chrome, however, came away unscathed.

http://www.computerworld.com/category/security/index.rss