Firefox 3.0.8 Security Update to Fix Hackable Security Flaw
Next week the Mozilla Foundation plans to make the Firefox 3.0.8 update available to the general public. This is a security update that is meant to address known security vulnerabilities that affect the browser running on all supported operating systems. The security holes in question could allow a person with malicious intent to install software on a targeted system – all without the user’s knowledge.
“The pwn2own bug that Nils discovered at CanSecWest 2009 and the XSLT vulnerability recently made public by Guido are both critical issues that can result in malicious code execution. These issues can be exploited by tricking a user into visiting a malicious web page hosting the exploit code. The pwn2own bug can be mitigated by disabling JavaScript. Both issues have been investigated and fixes have been developed which are now undergoing quality assurance testing. These fixes will be included in the upcoming Firefox 3.0.8 release, due to be released by April 1,” explains the Mozilla Security Blog.
People keeping track of these things will remember that Nils is the mysterious computer science student from Germany that managed to hack three of the most popular web browsers out there (Safari, Firefox, IE8) during the 2009 PWN2Own competition, earning him a $15,000 reward. By accepting the prize money he effectively sold the vulnerability rights and consequently could not provide a in-depth look at the vulnerability that he exploited in Firefox. This is not the case with Guido Landi’s XSLT vulnerability, which has been published online. No known exploit is currently available in the wild.
You are very well advised to update your Firefox browser next week, when the update becomes available – we will make sure to keep you informed, so check back for updates. As always, there will be two ways for you to get Firefox 3.0.8:
1. Download the software and install it on your machine.
2. If you have Firefox 3.0 installed on your machine, click Help -> Check for Updates. The update will be rolled out automatically, but if you check for it you might get it a bit earlier.
UPDATE: Firefox 3.0.8 has been released - details here .
“The pwn2own bug that Nils discovered at CanSecWest 2009 and the XSLT vulnerability recently made public by Guido are both critical issues that can result in malicious code execution. These issues can be exploited by tricking a user into visiting a malicious web page hosting the exploit code. The pwn2own bug can be mitigated by disabling JavaScript. Both issues have been investigated and fixes have been developed which are now undergoing quality assurance testing. These fixes will be included in the upcoming Firefox 3.0.8 release, due to be released by April 1,” explains the Mozilla Security Blog.
People keeping track of these things will remember that Nils is the mysterious computer science student from Germany that managed to hack three of the most popular web browsers out there (Safari, Firefox, IE8) during the 2009 PWN2Own competition, earning him a $15,000 reward. By accepting the prize money he effectively sold the vulnerability rights and consequently could not provide a in-depth look at the vulnerability that he exploited in Firefox. This is not the case with Guido Landi’s XSLT vulnerability, which has been published online. No known exploit is currently available in the wild.
You are very well advised to update your Firefox browser next week, when the update becomes available – we will make sure to keep you informed, so check back for updates. As always, there will be two ways for you to get Firefox 3.0.8:
1. Download the software and install it on your machine.
2. If you have Firefox 3.0 installed on your machine, click Help -> Check for Updates. The update will be rolled out automatically, but if you check for it you might get it a bit earlier.
UPDATE: Firefox 3.0.8 has been released - details here .
