Mozilla fixes flaws uncovered in hacking contest
Mozilla said it had repaired five vulnerabilities exploited by researchers at the recent Pwn2Own hacking contest.
Firefox fell to four teams or individuals at the hacking challenge, suffering twice the number of hacks compared to other browsers. Mariusz Mlynski, Jüri Aedla, and a team from French vulnerability seller Vupen cracked Firefox on the first day of Pwn2Own. George Hotz hacked it on the second. Each successful exploit earned the hacker $50,000, the smallest prize awarded by the four participating browsers,
Firefox's failures reflected the ease with which attackers can hack the browser. Unlike Chrome, IE and Safari, Firefox does not include anti-exploit "sandboxing" technology that isolates the browser from the rest of the system.
To execute attack code on a device with a sandboxed browser, hackers must not only exploit a vulnerability in the browser but find a way to bypass the sandbox, often with a second vulnerability.
Apple's Safari, Google's Chrome, Microsoft's Internet Explorer and Firefox were poked by the hackers at the challenge co-sponsored by the HP TippingPoint's Zero Day Initiative bug bounty program and Google.
The upgrade to Firefox 28 also added support for OS X's Notification Center and VP9 video decoding on all platforms. VP9 is an open-source video compression standard created by Google, and supported by Chrome, Firefox and Opera Software's Opera.
Two other critical Firefox vulnerabilities were patched later. These were identified as memory safety bugs in the engine that powers Firefox. Mozilla also patched three vulnerabilities rated "high," seven tagged "moderate," and three judged "low" in Firefox 28.
Two of the 13 were for Firefox on Android only, while another was limited to Firefox OS, the lightweight browser-based mobile operating system.