Firefox Announces Same-Day Update After Two Minor Pwn2Own Exploits

During this year's annual Pwn2Own contest, two researchers from Palo Alto Networks demonstrated an out-of-bounds write vulnerability in Mozilla Firefox, reports Cyber Security News, "earning $50,000 and 5 Master of Pwn points." And the next day another participant used an integer overflow to exploit Mozilla Firefox (renderer only).

But Mozilla's security blog reminds users that a sandbox escape would be required to break out from a tab to gain wider system access "due to Firefox's robust security architecture" — and that "neither participating group was able to escape our sandbox..." We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks. This continues to build confidence in Firefox's strong security posture.
Even though neither attack could escape their sandbox, "Out of abundance of caution, we just released new Firefox versions... all within the same day of the second exploit announcement." (Last year Mozilla responded to an exploitable security bug within 21 hours, they point out, even winning an award as the fastest to patch.)

The new updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible...." To review and fix the reported exploits a diverse team of people from all across the world and in various roles (engineering, QA, release management, security and many more) rushed to work. We tested and released a new version of Firefox for all of our supported platforms, operating systems, and configurations with rapid speed....

Our work does not end here. We continue to use opportunities like this to improve our incident response. We will also continue to study the reports to identify new hardening features and security improvements to keep all of our Firefox users across the globe protected.

Re:Great, now only if

[Anonymous Coward]

Username checks out: old fart yells at cloud.

Re:Great, now only if

[ShadowRangerRIT]

Have you used it in the last, say, three years? They made massive improvements. I run with uBlock Origin, uMatrix (probably not for most folks, but I'm a paranoid OCD control freak), Greasemonkey with a dozen installed scripts, and Facebook Container, and it's lightning fast. They went through a bad spot 5-10 years ago, but for the last several years it's been as fast as Chrome for me, and unlike Chrome, doesn't constantly try to break ad-blocking extensions.

Re:Great, now only if

[dskoll]

Yeah, I don't know why the /. edgelords have so much hate for Firefox. It's my daily driver and it's fine. I certainly would never use Chrome as a daily driver; Google doesn't need to hoover up all my data, thanks.

Re:

[sound+vision]

They probably remember it as the minimalist browser it was 20 years ago. It was deteriorating in terms of stability for a while, although recent versions seem OK. The UI kind of sucks - but in the same ways that Chrome and Edge's UIs suck. (Copying them was part of the problem.) I also know a few culture-warrior types who hate it because of Mozilla's extracurricular programs, they see their browser as kind of a lifestyle product that should be aligned with their worldview, so they go to a browser like Brav

Re:

[thegarbz]

Probably due to how the company behaves. The software works just fine, but it's distain for users is amazing. Google is at least widely known for how it behaves, you know what you get, and real truly breaking changes you hear about people bitching online years in advance.

Firefox on the other hand... well maybe tomorrow the shortcuts you use will suddenly no longer work for the simple reason of someone changed a word in a menu and someone else decided completely arbitrarily that means the shortcut needs to m

Re:Great, now only if [better]

[shanen]

Great, now only if Firefox wasn't a giant, bloated pile of shit, burdened with pointless features NO ONE wants. Also, it's fucking slow as frozen monkey piss.

Quoted because of the censor mods. While I agree with you (in spite of your vacuous Subject), I think your rant doesn't help anything. How to distinguish between things that could be fixed and things that must be tolerated? So:

I think in terms of "Would I buy that feature?" Can't recall the last time I noticed a feature of Firefox where the answer was yes, even if the price tag was as low as ten bucks. Probably the password sync option? But that was copied from the Palm... As I imagine it, the software woul

Re:Great, now only if [better]

[fahrbot-bot]

I'll add that even if there are features (or "features") that, at least, I don't want, so far I'm (still) able to disable or re-configure them in a menu or the config file (or .css file) *and* can load extensions that compensate for other things. Can't say the same, to the same extent, about Chrome or Edge. This makes it my preferred browser.

Re:

[darkain]

only replying to say: 'when did slashdot break the 10mil UID mark!?'

not sure if shitstain bots, or actual humans being shitstains tho.

Re:

[doesnothingwell]

only replying to say: 'when did slashdot break the 10mil UID mark!?'

It was ratcheted up in several stages a few years back. Uids seemed to jump from 2mill to 4mill then 5 and 6. It might have been troll control, new owners inflating #s, or just lazy programming. Bottom line don't trust anyone over 1,000,000, the real number of users is closer to 2 or 3 million (ish).

Remove the Bloat

[BrendaEM]

I remember when Firefox was split from Netscape. It was a 5MB download. Now, the downloader is probably larger than that. Dismiss your AI aspirations, get rid of the all the tracking crap, get rid of Pocket and Replace it with the old Scrapbook.

Awesome!

[Gravis Zero]

"earning $50,000 and 5 Master of Pwn points."

All they need to is earn two more points and they can trade them in for a Pwn2Own branded Frisbee at the prize desk! I'm sooo jealous!