Mozilla Rushes Out Firefox 3.6.3 to Fix Pwn2own Hack

A new update comes on the heels of yet another Pwn2own exploit, along with a promise of patches for older Firefox versions, as well.

Mozilla isn't wasting any time in its efforts to protect users against new security risks.

Last week, Mozilla’s open source Firefox Web browser was publicly exploited in the Pwn2own hacking competition at the CanSecWest security conference. Late on Thursday, Mozilla moved to fix the Pwn2own flaw with the Firefox 3.6.3 update.

The problem -- a memory corruption flaw that Mozilla titled "Re-use of freed object due to scope confusion" -- could lead to arbitrary code execution. The flaw was publicly demonstrated at Pwn2own by security researcher "Nils" of MWR InfoSecurity.

"By moving DOM nodes between documents, Nils found a case where the moved node incorrectly retained its old scope," Mozilla stated in its security advisory. "If garbage collection could be triggered at the right time then Firefox would later use this freed object."

According to Mozilla, the flaw reported by Nils only affects Firefox 3.6, though Mozilla plans on patching the Firefox 3.5 browser as well just in case there is another potential way of triggering the same flaw.

Firefox 3.6.2 itself had been rushed out just ahead of the Pwn2own event, where security researchers probe fully patched browsers for vulnerabilities. As it turned out, the 3.6.2 update hadn't been enough to stop Nils from finding an exploit.

Nils is no stranger to exploiting fully patched versions of Firefox: The security researcher did the same thing at the previous Pwn2own contest in 2009.

Mozilla, for its part, is likewise used to quickly patching flaws discovered by Nils. With the 2009 pwn2own flaw, Mozilla issued an updated version of Firefox within a week.

Firefox wasn't the only browser hit by a zero-day flaw at this year's Pwn2own. Microsoft's Internet Explorer and Apple's Safari were also exploited by security researchers. Neither of those vendors has yet to patch their respective browsers for their Pwn2own flaws. That doesn't mean users need to worry too much: As part of the contest rules for Pwn2own, participating security researchers must keep the specific details of their exploit private while providing details to the browser vendors so that they can fix the issues.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.