14 DAY TRIAL // Like Google, Mozilla was quick to fix the issue revealed during the Pwn2Own competition. Firefox 19.0.2, which patches the vulnerability, is out and is being pushed through the update channels.
Firefox, like all the other browsers in the competition, was successfully exploited. This year, contestants had to disclose the bugs and methods they used in their exploits, so fixes are available shortly after the exploits were demonstrated.
"We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users," Mozilla explained.
The Vupen Security team, which successfully took down Firefox, relied on a use-after-free bug within the HTML editor built into the browser. This happens when a content script is run with the document.execCommand() function.
Vupen boasted about using a new technique to bypass the built-in security mechanisms on Windows, ASLR and DEP.
This step was needed to fully exploit the Firefox bug and allow attackers to run arbitrary code and take over the machine.