From the ‘That Was Fast!’ files:
Late Wednesday at the pwn2own hacking challenge, security firm VUPEN demonstrated a 0day flaw against a fully patched Firefox 19.0.1 browser running on Windows. VUPEN was awarded $60,000 from the contest organizer HP for the exploit.
Less than 24 hrs after the flaw was first reported, Mozilla is out with a fix.
As it turns out the flaw is a Use-After-Free flaw.
“VUPEN Security, via TippingPoint’s Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand() function while internal editor operations are occurring,” Mozilla’s advisory stated. “This could allow for arbitrary code execution.”
Use After Free errors are relatively common in Firefox updates. Fixing a reported flaw inside of 24hrs isn’t really common, for any other browser vendor …
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter @TechJournalist.