Mozilla First To Patch Pwn2Own Browser Vulnerability 141
Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."
Re:And this is a surprise? (Score:5, Insightful)
I also thought that open source had a built in Plan B that if a hole was found, anyone could submit a patch and it would get folded in as soon as it was reviewed and approved.
That's funny, this is a story about the Open Source browser being patched before every other browser, and you're not seeing a benefit?
BAH! (Score:5, Insightful)
The contestants already have next year's winning exploit waiting in the wings. Maybe we should have these contests every month instead of once a year.
Re:And this is a surprise? (Score:1, Insightful)
How many stories on Slashdot are surprising?
There is a second benefit (Score:3, Insightful)
Of having discrete components, and of modular operating systems.
Mozilla isn't integrated into the OS, so they can just fix bugs. IE is "integrated into the OS" which means they can't simply fix bugs, they've got to make sure the rest of the big ball of mud OS continues to work as well.
Re:And this is a surprise? (Score:1, Insightful)
On the other hand, Firefox on Linux wasn't exploited at all.
Yes, but there wasn't a Linux box. IE 4 on Windows 95 wasn't exploited during the contest either... does that prove anything?
Re:BULLSHIT. (Score:2, Insightful)
It was only immune in the internet zone, due to MS disabling .net controls in that zone. The bug still exists and is fully exploitable in the intranet zone. Also, IE has had a long history of cross-zone-scripting bugs which allow an attacker to run js code in a different protection zone than it really exists in. If you trick IE into thinking your code is in the intranet zone, this vulnerability opens right up.
Re:First post. (Score:3, Insightful)
The whole point of Betas is that they have bugs etc. and haven't been tested. If you care about security, you shouldn't use a Beta. If you don't care, why are you asking?