They released an updated 3.0.8 version of their flagship browser Friday afternoon, just two days after the code was posted to the Milw0rm Web site and earlier than the fix was promised.
This update also fixes a bug disclosed to research firm TippingPoint last week by a hacker who used it to win the company’s Pwn2Own contest at the CanSecWest security conference. It was one of three used by a German hacker, who gave only his first name, Nils, to claim US$15,000 in cash and a laptop as prizes.
Mozilla developers had described the release as a “high-priority firedrill security update” thanks to the attack code, known as a “zero day” exploit. The quick work paid off, as they had expected it to take until early next week to complete testing.
Mozilla says both bugs are “critical.”
Nils’ flaw exploited a bug in a Firefox routine known as method _moveToEdgeShift. He used it to hack the browser running on Mac OS X, but it could affect other platforms as well.
The other flaw, which has to do with the way the browser processes XSL (Extensible Stylesheet Language) stylesheets, affects Firefox on all operating systems, and also affects the Seamonkey Internet application.
Both of these bugs could be triggered by tricking a victim into viewing a maliciously coded Web page, which would then allow an attacker to install unauthorized software on a victim’s system. This kind of Web-based malware, called a drive-by download, has become increasingly popular in recent years.
Firefox’s next update, 3.0.9, is set to be released April 21.