Firefox and Chrome patched ALREADY after Pwn2own - now the pressure is on for IE and Microsoft!

Filed Under: Featured, Firefox, Google, Google Chrome, Internet Explorer, Microsoft

That was quick!

Mozilla and Google have already pushed out patches to stop the exploits that got past their browsers at this year's PWN2OWN competition!

Firefox goes to version 19.0.2, fixing what Mozilla describes as a Use-after-free in HTML Editor:

→ Mac and Linux users of Firefox may be wondering where 19.0.1 went, as they won't have seen such a version. It was a Windows-only update to deal with some Windows-specific graphics card troubles. There were no security fixes in it.

Chrome goes to version 25.0.1364.160, fixing what Google calls a Type confusion in WebKit:

These updates certainly throw down the gauntlet to Microsoft, whose Internet Explorer 10 browser was also successfully breached in the competition.

Microsoft has already announced - or "pre-announced", whatever that means - the fixes that are coming in next week's Patch Tuesday, and for obvious reasons, the vulnerability revealed yesterday is not one of them.

So it's hard to imagine Microsoft being ready with a fix before next month, let alone by next week.

Redmond, to be fair, has many more products with much more complex inter-relationships to juggle than Mozilla, and even Google.

But since Internet Explorer is supposed to be "just another application" as far as Windows (and certainly the European Union) is concerned, you'd have to think that it's still within the bounds of possibility for Microsoft to do something before next Tuesday rolls around.

Even if it's only a temporary Fixit patch, or a consumer-centric patch pushed to non-corporate users only.

For Microsoft to get out an IE patch in time for next week would be a strong technical showing, a great security outcome, and a fantastic marketing manoeuvre.

While we wait for Redmond, let's congratulate the Mozilla and the Chrome teams on their speedy responses.

And let's remember, too, that this story shows that the scales aren't inevitably tipped in the Bad Guys' favour, as we so often hear people complain.

Word on the street is that the exploits deployed in this year's PWN2OWN didn't come easily, taking weeks or even months of dedicated effort to uncover, while the patches, at least for the open-source browser codebases, came really quickly.

It's nice to know that ever more security really is getting baked into the browser software with which we confront the perils of the internet!

, , , , , ,

You might like

10 Responses to Firefox and Chrome patched ALREADY after Pwn2own - now the pressure is on for IE and Microsoft!

  1. Nigel · 948 days ago

    "It's nice to know that ever more security really is getting baked into the browser software with which we confront the perils of the internet!

    Well said!

  2. TED · 948 days ago

    Almost zero stories about OS X and Safari. What is the story about that?

    Paul can you do a story about that?

    • Paul Ducklin · 946 days ago

      I touched on that issue in these articles:

      No-one entered to take on Safari.

      I can't say wh; I can only speculate. (Which I did in the stories above - and see the comments, too, for what our readers thought.)

      • Rural_Mike · 946 days ago

        So we should not assume that Safari is any safer than any other browser. Just because it's Apple doesn't mean it's safe at all.
        We need someone to attempt an attack, on Windows and OS X versions, so any vulnerabilities they find can be rectified. Without the attempt we will not know where the attacks get in nor how to stop them.

  3. Lese Majeste · 948 days ago

    All those bugs and easily hacked software from Micro$oft over the decades isn't just sloppy work, they must be in bed with the feds to let them have backdoors into our PC's so Big Brother can spy to his hearts content.

  4. Arerifx · 948 days ago

    Great response from Google and Mozilla..

  5. caspy77 · 948 days ago

    Here is a Firefox developer's breakdown of the timeline to fix their vulnerability:
    Fixed in a matter of hours with a build spun and pushed out the next morning. Impressive.

  6. Crag · 946 days ago

    How about Opera ?

    • Paul Ducklin · 946 days ago

      Wasn't included in the there was neither a prize nor a public attempt to exploit it.


      (Don't shoot the messenger :-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog