Firefox 28.0 takes on the PWN2OWN attacks already

Here’s some news about Firefox 28.0, which was just released on 18 March 2014.

I’ll keep this super-short, because the update pretty much writes its own story.

As you probably know, the Firefox browser (at least, Firefox on Windows) was hacked four times at the recent PWN2OWN competition, netting four security researchers $50,000 each.

That was at the end of last week, on Thursday 13 March 2014.

The PWN2OWN hacks were remote code execution exploits – the sort that are most important to fix.

→ PWN2OWN rules require full but responsible disclosure. To get your prize, you have to tell the vendor, and only the vendor (OK, and HP, the competition organisers) exactly how you did it. That means the vendor doen’t have to rush, as the exploits aren’t published for the world at large to use.

How many of those four holes were fixed in Firefox 28.0?

Mozilla Foundation Security Advisory 2014-29:

Security researcher Mariusz Mlynski, via TippingPoint’s Pwn2Own contest, reported that it is possible for untrusted web content to load a chrome-privileged page by getting JavaScript-implemented WebIDL to call A second bug allowed the bypassing of the popup-blocker without user interaction. Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution.

Mozilla Foundation Security Advisory 2014-30:

Security research firm VUPEN, via TippingPoint’s Pwn2Own contest, reported that memory pressure during Garbage Collection could lead to memory corruption of TypeObjects in the JS engine, resulting in an exploitable use-after-free condition.

Mozilla Foundation Security Advisory 2014-31:

Security researcher Jüri Aedla, via TippingPoint’s Pwn2Own contest, reported that TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution.

Mozilla Foundation Security Advisory 2014-32:

Security researcher George Hotz, via TippingPoint’s Pwn2Own contest, discovered an issue where values are copied from an array into a second, neutered array. This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution.

That’ll be all four fixed, then.

There’s one more Advisory listed as critical, covering a range of possibly-exploitable bugs found by the Mozilla developers themselves, denoted by the usual words “Miscellaneous memory safety hazards.”

Note that the Firefox Extended Support Release (ESR) goes to 24.4.0.

Firefox ESR is commonly used in organisations that are happy to take security fixes frequently, but prefer more time to think about feature changes.

Nice work all round by the Mozilla team.

Image of hands (seen supporting the Firefox logo) courtesy of Shutterstock.