The Firefox 3.6.2 update fixes a critical bug in a font decompression routine that could be exploited to "crash a victim's browser and execute arbitrary code on his/her system," Mozilla said in a security advisory, released late Monday.
[ Google patched 11 vulnerabilities in Chrome just days before the hacking contest. | TippingPoint is offering hackers $100,000 for browser and phone exploits at Pwn2Own. | Apple's browser, which expected to be the first to fall in the hacking contest, recently got 16 fixes. ]
Mozilla had been under pressure to fix the bug, after it was included by Russian security researcher Evgeny Legerov last month in his VulnDisco hacking tool, which is sold as an add-on to the Canvas penetration testing kit. The Firefox team had expected to fix the issue next week, but decided to rush out an earlier update, apparently out of concern that Legerov's code could be misused.
The flaw affects Firefox 3.6, but not earlier versions of the browser, Mozilla said.
In his February forum post disclosing the vulnerability, Legerov said that it affected the browser running on Windows XP and Vista.
The flaw lies in the way Firefox implements a Web-based font standard called the Web Open Font Format.
The Firefox update comes as hackers prepare to compete in a three-day contest at Vancouver's CanSecWest security conference. During the Pwn2Own event, contestants will try to break into computers by leveraging previously undisclosed bugs in Firefox, Internet Explorer, Safari, and Chrome. Winners will take home the laptop they break into, as well as a US$10,000 cash prize.
Mozilla is in good company, updating its software ahead of the contest. Apple and Google have also fixed their browsers in the past few weeks.
Contest organizers had previously stated that Legerov's bug wouldn't count if used in their contest, however, since it's already been disclosed.
Firefox 3.6.2 is available for Windows, Mac, and Linux users.