VANCOUVER–Within less than 24 hours of the vulnerabilities being used and disclosed to them, both Mozilla and Google have issued patches for flaws employed by participants in this week’s Pwn2Own contest at CanSecWest here.
Mozilla has rolled out a new version of Firefox that includes fixes for security vulnerabilities used in the contest, and Google has done the same with Chrome.
“Researchers successfully demonstrated new security vulnerabilities in all three browsers tested – Firefox, Chrome and IE. At the conclusion of the event we received technical details about the exploit so we could issue a fix.
“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users. Our fast turn around time on this security issue is a reflection of the priority and focus we place on security. Security is more than a side item for us, it’s part of our core principles,” Michael Coates, director of security assurance, said.
Mozilla fixed a critical user-after-free vulnerability in the HTML editor in Firefox that had been used in the Pwn2Own competition. The team from VUPEN successfully compromised Firefox.
Google, which ran its own Pwnium competition alongside Pwn2Own, didn’t get any winning entries in that contest, but a team from MWR Labs did compromise Chrome during Pwn2Own. Google Chrome 25 now includes a fix for a high-risk type confusion vulnerability in WebKit.