WEB BROWSER OUTFIT Mozilla has fixed several security flaws in Firefox that were uncovered by researchers attending the annual Pwn2own hacking contest.
Firefox was exploited four times with zero-day attacks during the hacking event, making it one of the least secure web browsers out of the four most popular: Google's Chrome, Microsoft's Internet Explorer (IE) and Apple's Safari.
"We implemented all of the fixes over the weekend and will release them on Tuesday with Firefox 28," Mozilla's Senior Engineering Manager of Security and Privacy, Sid Stamm, told The INQUIRER. "By Friday, we expect everyone will be offered the updates, though users can get them manually at any time after the release by checking for Firefox updates."
Because the exploits were not publicly known, Stamm said the security risk to unpatched users was "low", so Mozilla decided not to disrupt users with additional upgrade cycles this week.
The other three major web browsers - Google's Chrome, Microsoft's Internet Explorer (IE) and Apple's Safari - were also exploited as part of the competition, along with the software application Adobe Flash, Firefox saw three takedowns on the first day and another on the second, making it the most exploited web browser of the bunch.
The two-day Pwn2own event wrapped up last Thursday at the Cansecwest conference at the Sheraton Wall Hotel in Vancouver, BC, challenging security researchers, software engineers and hackers to demonstrate flaws in popular consumer and enterprise software systems.
The event sponsor HP's Zero Day Initiative (ZDI) awarded $850,000 in total prize money, leaving $385,000 of potential prize money unclaimed.
"The luck of the draw brought three of four browsers to the table on the first day, and put [security firm] Vupen at the table for four attempts," HP said in a blog post recapping the event.
"All six of Wednesday's attempts were successful. Vupen collected $300,000 for vulnerabilities in Adobe Reader, Microsoft Internet Explorer, Mozilla Firefox, and Adobe Flash, and researchers Mariusz Mlynski and Jüri Aedla each collected $50,000 apiece for vulnerabilities in Firefox."
The second and final day of Pwn2own 2014 saw successful attempts by seven entrants against five products, with $450,000 paid to researchers.
Vupen withdrew an entry against Apple Safari before competition began, while Keen Team compromised the web browser with a heap overflow and sandbox bypass combination for $65,000.
Chinese hacking group Keen Team's Liang Chen appeared with Zeguang Zhao of team509 later in the day to present another heap overflow and sandbox bypass attempt against Adobe Flash, worth $75,000.
Two entrants, Vupen and an anonymous researcher represented by proxy, both presented Google Chrome vulnerabilities. Vupen was awarded $100,000 for a use after free vulnerability that HP analysts have determined affects not only Blink-based browsers but also those built on Webkit.
Meanwhile, the anonymous researcher's attempt was found to partially overlap with a vulnerability demonstrated earlier in the week at Google's Pwnium event, so the remainder of that entry was awarded $60,000. American Hacker George Hotz collected $50,000 against Firefox.
HP's ZDI uses the findings from the competition to improve the company's products and research, while offering the information to the affected vendors so they can improve the security of their products for end-users. µ