Mozilla has fast-tracked a patch for a critical vulnerability affecting its flagship Firefox browser.
The patch, which was originally slated for release on March 30,
fixes a vulnerability that could allow remote code execution attacks.
The flaw was originally released
into the VulnDisco exploit pack in February but Mozilla’s security
response team did not get the details until the middle of March. Now, with the CanSecWest Pwn2Own contest just a day away, the open-source group shipped the fix and explained the problem:
Security researcher Evgeny Legerov
of Intevydis reported that the WOFF decoder contains an integer
overflow in a font decompression routine. This flaw could result in too
small a memory buffer being allocated to store a downloadable font. An
attacker could use this vulnerability to crash a victim’s browser and
execute arbitrary code on his/her system.
Mozilla said support for the WOFF downloadable font
format is new in Firefox 3.6 (Gecko 1.9.2), meaning that this
vulnerability does not affect products built on earlier versions of the
Mozilla browser engine.
A hacker known as “Nils” is planning to launch a code execution exploit against Firefox at this year’s Pwn2Own. Last year, Nils hit the trifecta with successful hacking attacks against Firefox, Internet Explorer and Safari.