The Pwn2own security challenge is an annual competition in which hackers and security experts from all over the world try to beat the protection of software and mobile devices. Winners of the contenst not only get price money for their efforts, but can also keep the devices they successfully exploited.
This year, all three major browsers – Internet Explorer, Google Chrome and Mozilla Firefox - were successfully exploited by security experts. As far as Firefox goes, security firm VUPEN managed to exploit the browser using a “use-after-free” memory flaw that it combined with an ASLR/DEP memory exploit. Both ASLR and DEP are part of the Windows operating system that help protect the system’s memory against exploits.
If you are a user of Firefox you may have noticed that a new version is available already, bringing the version of Firefox on the stable channel to 19.0.2 The patch is a direct result of the Pwn2own exploit that was used by Vupen to exploit the Firefox web browser on Windows.
It is remarkable that Mozilla managed to create and release a patch for the exploit less than 24 hours after the results were announced. While it is certainly possible that the company got word about the exploit earlier than that, it is still a fast turnaround time for a security patch.[...]
Source
This year, all three major browsers – Internet Explorer, Google Chrome and Mozilla Firefox - were successfully exploited by security experts. As far as Firefox goes, security firm VUPEN managed to exploit the browser using a “use-after-free” memory flaw that it combined with an ASLR/DEP memory exploit. Both ASLR and DEP are part of the Windows operating system that help protect the system’s memory against exploits.
If you are a user of Firefox you may have noticed that a new version is available already, bringing the version of Firefox on the stable channel to 19.0.2 The patch is a direct result of the Pwn2own exploit that was used by Vupen to exploit the Firefox web browser on Windows.
It is remarkable that Mozilla managed to create and release a patch for the exploit less than 24 hours after the results were announced. While it is certainly possible that the company got word about the exploit earlier than that, it is still a fast turnaround time for a security patch.[...]
Source
