Firefox likely to win race to fix PWN2OWN contest bug

Dogbiscuit · Mar 26, 2009

It's unlikely that either Microsoft or Apple will patch their browsers' bugs before Mozilla. Apple, for example, never generates Safari patches within such a short time span. For that matter, neither does Microsoft.
Click to expand...

Article

Eice · Mar 28, 2009

Dogbiscuit said:

Article
Click to expand...

Not really. Assuming you're running Vista, the final release of IE8 was already immune to the exploit used in PWN2OWN 2009.

http://dvlabs.tippingpoint.com/blog...-exploit-foiled-is-the-browser-finally-secure

In summary, it was a narrow miss for Nils! Had the contest started one day later, his exploit would have been foiled by the RTW of IE8.
Click to expand...

Dogbiscuit · Mar 28, 2009

Yes, point taken. However...

(If you are a conspiracy theorist, you may ask yourself why Microsoft waited for the final released version of IE8 to break the exploit technique, instead of including it in previous beta updates, as they surely didn’t do it overnight, and not for the benefit of pwn2own!)
Click to expand...

To be fair, IE can't be included as they knew about and found a way to mitigate against the exploit technique before the contest started. As pointed out, the patch was already included in the version released the next day.

All this proved was that Mozilla fixed Nil's Firefox bug faster than Apple fixed his Safari bug (both browsers running on a MacBook).

Personally, I don't consider the 'race' by itself of much significance. What's more important and why I posted the article for discussion was the larger question it raised about who fixes their bugs sooner, especially the serious ones.

Eice · Mar 28, 2009

Dogbiscuit said:

To be fair, IE can't be included as they knew about and found a way to mitigate against the exploit technique before the contest started.
Click to expand...

Fairness is a wonderful attribute. Unfortunately, it also often has little to do with reality. Microsoft's fix was delivered one day later, Mozilla's in three weeks, and that's all that matters if we want to talk about the race to fix the PWN2OWN bugs. And if Microsoft's one day somehow doesn't make them faster than Mozilla's three weeks, then all I can say is that it's Apple who was "fastest", not Mozilla.

JRViejo · Mar 28, 2009

FYI. Mozilla patches Firefox's critical Pwn2Own bug

But if you are running IE8 on Win XP, the browser is vulnerable: Hack contest sponsor confirms IE8 bug in final code

"Nils' exploit is only broken when IE8 is running in Windows Vista SP1 or Windows 7," she said. "The vulnerability is absolutely there, so for IE8 on Windows XP, which lacks ASLR and DEP, it can be exploited using commonly known techniques."

Also at risk, said Forslof, are users running IE8 on the browser's Intranet security zone, no matter what operating system is on the machine. "If an organization is compromised, the flaw could still be exploited from the internal network on machines running Windows Vista and IE8," she said.
Click to expand...

Dogbiscuit · Mar 30, 2009

Eice said:

And if Microsoft's one day somehow doesn't make them faster than Mozilla's three weeks...
Click to expand...

Mozilla released it's patch for this bug (484320) 8-9 days after it was reported to them, a little over a week, not three weeks.

...then all I can say is that it's Apple who was "fastest", not Mozilla.
Click to expand...

What are you talking about?

Log in or Sign up

Firefox likely to win race to fix PWN2OWN contest bug

Dogbiscuit Guest

Eice Registered Member

Dogbiscuit Guest

Eice Registered Member

JRViejo Super Moderator

Dogbiscuit Guest

Log in or Sign up

Firefox likely to win race to fix PWN2OWN contest bug

Dogbiscuit Guest

Eice Registered Member

Dogbiscuit Guest

Eice Registered Member

JRViejo Super Moderator

Dogbiscuit Guest

Useful Searches