Mozilla Follows Google, Patches Firefox as Prep for Pwn2Own

From PC World: Mozilla on Tuesday fixed 11 security flaws in Firefox, following in rival Google's footsteps in patching its browser before a hacking contest kicks off next week.

Nine of the 11 flaws were rated "critical," a threat rating that implies hackers could use the vulnerabilities to compromise a computer or infect it with malware. Of the two remaining bugs, one was labeled "high" and the second was tagged as "moderate."

The updates, which brought the open-source browser to versions 3.6.14 and 3.5.17, were the first since December, a longer-than-usual span between Mozilla patch shipments. Part of the reason was that Tuesday's updates were delayed. They had been slated to show in mid-February, but Mozilla held them to investigate a non- security bug that caused some users' browsers to crash.

The patches in Tuesday's updates addressed three JavaScript flaws, two bugs in Firefox's browser engine, a JPEG rendering vulnerability that could be exploited by serving a malicious image to users, and a cross-site forgery request (CSRF) bug.

An Adobe security researcher reported the CSRF vulnerability, which was the issue rated high, Mozilla said in its patch notes . According to information posted on a security mailing list last month, the CSRF bug can be exploited in several browsers -- Firefox, Apple 's Safari and Google 's Chrome -- using a malformed Flash file.

View: Article @ Source Site