Here’s some news about Firefox 28.0, which was just released on 18 March 2014.
I’ll keep this super-short, because the update pretty much writes its own story.
As you probably know, the Firefox browser (at least, Firefox on Windows) was hacked four times at the recent PWN2OWN competition, netting four security researchers $50,000 each.
That was at the end of last week, on Thursday 13 March 2014.
The PWN2OWN hacks were remote code execution exploits – the sort that are most important to fix.
→ PWN2OWN rules require full but responsible disclosure. To get your prize, you have to tell the vendor, and only the vendor (OK, and HP, the competition organisers) exactly how you did it. That means the vendor doen’t have to rush, as the exploits aren’t published for the world at large to use.
How many of those four holes were fixed in Firefox 28.0?
Mozilla Foundation Security Advisory 2014-29:
Mozilla Foundation Security Advisory 2014-30:
Security research firm VUPEN, via TippingPoint’s Pwn2Own contest, reported that memory pressure during Garbage Collection could lead to memory corruption of TypeObjects in the JS engine, resulting in an exploitable use-after-free condition.
Mozilla Foundation Security Advisory 2014-31:
Mozilla Foundation Security Advisory 2014-32:
Security researcher George Hotz, via TippingPoint’s Pwn2Own contest, discovered an issue where values are copied from an array into a second, neutered array. This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution.
That’ll be all four fixed, then.
There’s one more Advisory listed as critical, covering a range of possibly-exploitable bugs found by the Mozilla developers themselves, denoted by the usual words “Miscellaneous memory safety hazards.”
Note that the Firefox Extended Support Release (ESR) goes to 24.4.0.
Firefox ESR is commonly used in organisations that are happy to take security fixes frequently, but prefer more time to think about feature changes.
Nice work all round by the Mozilla team.