Mozilla has released Firefox 11 and acknowledged that the security vulnerability that a pair of researchers used in the Pwn2Own contest last week was one that the company already was aware of and working on repairing.
The bug that researchers Willem Pinckaers and Vincenzo Iozzo used to compromise Firefox during Pwn2Own was a “memory safety” issue in the array.join function, Mozilla said. The company said on Monday that it was planning to delay the release of Firefox 11 in order to get the details of the vulnerability from TippingPoint’s Zero Day Initiative, which runs Pwn2Own, and also to ensure that the patches released by Microsoft on Tuesday wouldn’t cause any unforeseen issues with the new version of the browser.
But once the details of the ZDI bug came in, Mozilla officials realized it was one of the vulnerabilities that they already were planning to fix in Firefox 11 and went ahead with the release Tuesday afternoon.
“The security bug reported by ZDI is one we had already identified and fixed through our internal processes. This eliminates the need for us to delay this week’s releases, and we will be shipping them later today. However, in order to understand the impacts of Microsoft’s “Patch Tuesday” fixes, we will initially release Firefox for manual updates only. Once those impacts are understood, we’ll push automatic updates out to all of our users,” Johnathan Nightingale of Mozilla said in a blog post.
Mozilla has adopted an accelerated release schedule for Firefox in recent months and is now pushing out a new version of the browser every six weeks. That’s far more often than Microsoft or Apple release new versions of their browsers, but it’s still much less frequently than Google updates Chrome. Google has gotten to a point now where it rarely goes three weeks without releasing a new version of Chrome. Last week alone Google released two new versions of Chrome in order to fix vulnerabilities disclosed as part of its Pwnium contest at CanSecWest.
The full list of bugs fixed in Firefox 11 includes:
MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
MFSA 2012-18 window.fullScreen writeable by untrusted content
MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification
MFSA 2012-16 Escalation of privilege with Javascript: URL as home page
MFSA 2012-15 XSS with multiple Content Security Policy headers
MFSA 2012-14 SVG issues found with Address Sanitizer
MFSA 2012-13 XSS with Drag and Drop and Javascript: URL
MFSA 2012-12 Use-after-free in shlwapi.dll
