Mozilla is scrambling to rush out Firefox 3.0.8 by March 30th (or sooner) **UPDATED** Mozilla put out the 3.0.8 update late Friday March 27 ** to fix for a critical bug issue. The issue has to deal with a flaw that can be exploited after an XSLT triggered crash. Essentially it’s a remote memory-corruption vulnerability which is not uncommon in Mozilla security updates.
What is a little uncommon is the fact that a proof of concept exploit already exists for the flaw (which in my book means that Firefox was exploitable today — a 0-day prior to the late update).
Firefox is was at risk from at least one other previously unpatched flaw as well. The one that ‘Nils’ found at the PWN2OWN contest last week is also patched in the 3.0.8 update.
With the Pwn2OWN vulnerability though, that is still under wraps so there is no public (AFAIK) exploit code on that yet. There is no indication at this point, that the XSLT issue that 3.0.8 will fix is in any way related to Nils vulnerability either (but it could be).
According to Mozilla’s advisory on Nils vulnerability:
Security researcher Nils reported via
TippingPoint’s Zero Day Initiative that the XULtree
method_moveToEdgeShift
was in some cases triggering
garbage collection routines on objects which were still in use. In
such cases, the browser would crash when attempting to access a
previously destroyed object and this crash could be used by an
attacker to run arbitrary code on a victim’s computer.
Nils also defeated IE8 and Safari – it’s not yet clear whether he used a similiar attack vector on those browsers — though considering this is XUL specific I’m not sure.