Chicago (IL) – Public
pressure resulting from a controversial public posting of an attack
code that may allow malicious users to exploit a serious Firefox
vulnerability, prompted Mozilla to change its release its release schedule and roll out Firefox 3.0.8 late last week, just two days following the
public posting of the code. In addition to fixing this
vulnerability, the updated browser patches another critical flaw that could be
used to trigger garbage collection routines.
You may remember from our recent post
how security researcher Guido Landi comvinced Mozilla to accelerate the Firefox 3.0.8 release, following his discovery of
a nasty bug. In a nutshell, the bug could be used to fool an
unsuspecting user into opening a malicious XML file that, in turn, exploits the vulnerability to run web-based
malware on his computer (also know as “drive-by
download”).
Langi was not happy how long it takes browser vendors to react to security problems and usually
stick to pre-determined release schedules to deliver critical
fixes. The researcher informed Firefox developers of the vulnerability
he discovered but also posted the attack code online, a move some of
our readers called irresponsible, attention-seeking maneuvering.
Nevertheless, it was enough for Mozilla to put forth patched Firefox
3.0.8 release ahead of the planned schedule.
It appears that the
gravity of the vulnerability pushed
Mozilla’s buttons. The organization originally promised to deliver the
fix early this week, but then changed its mind. Firefox
3.0.8 became available this past Friday, just day two days following Landi’s post. While
the updated browser fixed the potentially dangerous vulnerability, Mozilla did not credit its discovery exclusively to Langi.
“Security
researcher Guido Landi discovered that a XSL stylesheet could be used
to crash the browser during a XSL transformation. An attacker could
potentially use this crash to run arbitrary code on a victim’s
computer,” Mozilla wrote. “This vulnerability was also previously
reported as a stability problem by Ubuntu community member, Andre,” the
organization added. “Ubuntu community member Michael Rooney
reported Andre’s findings to Mozilla, and Mozilla community member
Martin helped reduce Andre’s original testcase and contributed a patch
to fix the vulnerability.”
Firefox 3.0.8 also fixes another
critical exploit associated with Firefox’s XUL engine that could be
used to trigger garbage collection routines. This would cause the
browser to crash, enabling an attacker to run arbitrary code on a victim’s
computer. Mozilla noted that it was this vulnerability that allowed the
person who reported the issue to win the 2009 CanSecWest Pwn2Own contest. In addition to
these two critical exploits, Firefox 3.0.8 patched several other known bugs. All Firefox users are urged to download the latest version or invoke Firefox’s update mechanism by choosing Check for Updates… from the Help menu.