Sophos Cloud Optix
That was quick!
Mozilla and Google have already pushed out patches to stop the exploits that got past their browsers at this year’s PWN2OWN competition!
Firefox goes to version 19.0.2, fixing what Mozilla describes as a Use-after-free in HTML Editor:
→ Mac and Linux users of Firefox may be wondering where 19.0.1 went, as they won’t have seen such a version. It was a Windows-only update to deal with some Windows-specific graphics card troubles. There were no security fixes in it.
Chrome goes to version 25.0.1364.160, fixing what Google calls a Type confusion in WebKit:
These updates certainly throw down the gauntlet to Microsoft, whose Internet Explorer 10 browser was also successfully breached in the competition.
Microsoft has already announced – or “pre-announced”, whatever that means – the fixes that are coming in next week’s Patch Tuesday, and for obvious reasons, the vulnerability revealed yesterday is not one of them.
So it’s hard to imagine Microsoft being ready with a fix before next month, let alone by next week.
Redmond, to be fair, has many more products with much more complex inter-relationships to juggle than Mozilla, and even Google.
But since Internet Explorer is supposed to be “just another application” as far as Windows (and certainly the European Union) is concerned, you’d have to think that it’s still within the bounds of possibility for Microsoft to do something before next Tuesday rolls around.
Even if it’s only a temporary Fixit patch, or a consumer-centric patch pushed to non-corporate users only.
For Microsoft to get out an IE patch in time for next week would be a strong technical showing, a great security outcome, and a fantastic marketing manoeuvre.
While we wait for Redmond, let’s congratulate the Mozilla and the Chrome teams on their speedy responses.
And let’s remember, too, that this story shows that the scales aren’t inevitably tipped in the Bad Guys’ favour, as we so often hear people complain.
Word on the street is that the exploits deployed in this year’s PWN2OWN didn’t come easily, taking weeks or even months of dedicated effort to uncover, while the patches, at least for the open-source browser codebases, came really quickly.
It’s nice to know that ever more security really is getting baked into the browser software with which we confront the perils of the internet!
"It's nice to know that ever more security really is getting baked into the browser software with which we confront the perils of the internet!
Well said!
Almost zero stories about OS X and Safari. What is the story about that?
Paul can you do a story about that?
I touched on that issue in these articles:
http://nakedsecurity.sophos.com/2013/03/07/pwn2ow…
http://nakedsecurity.sophos.com/2013/03/08/pwn2ow…
No-one entered to take on Safari.
I can't say wh; I can only speculate. (Which I did in the stories above – and see the comments, too, for what our readers thought.)
So we should not assume that Safari is any safer than any other browser. Just because it's Apple doesn't mean it's safe at all.
We need someone to attempt an attack, on Windows and OS X versions, so any vulnerabilities they find can be rectified. Without the attempt we will not know where the attacks get in nor how to stop them.
All those bugs and easily hacked software from Micro$oft over the decades isn't just sloppy work, they must be in bed with the feds to let them have backdoors into our PC's so Big Brother can spy to his hearts content.
Amen to that!
Great response from Google and Mozilla..
Here is a Firefox developer's breakdown of the timeline to fix their vulnerability: http://garykwong.wordpress.com/2013/03/08/protect…
Fixed in a matter of hours with a build spun and pushed out the next morning. Impressive.
How about Opera ?
Wasn't included in the competition…so there was neither a prize nor a public attempt to exploit it.
Sorry.
(Don't shoot the messenger 🙂