With the annual Pwn2Own hacking event due to kick off tomorrow, Mozilla has confirmed that Firefox 3.6 has an unpatched critical vulnerability. The fact that Pwn2Own competitors will not be able to exploit this vulnerability to claim the Firefox hacking prize will be of no interest to the millions of ordinary users who think they remain exposed and vulnerable until a patch arrives at the end of the month. But they could get protected right now if they wanted, and without changing browser clients as suggested by the German government.

The vulnerability has already been patched by Mozilla developers, according to an official posting who adds that this is "currently undergoing quality assurance testing for the fix" and so will not be made generally available until the scheduled Firefox 3.6.2 release on March 30th. However, Mozilla says that "users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here". Mozilla also recommends that people testing the 3.7 development builds "should upgrade to 3.7 alpha 3 or the latest nightly build" in order to ensure that they have this fix.

Meanwhile, according to SC Magazine the German government has "advised users not to use Mozilla Firefox" because of the flaw. Could this be the start of the downfall of Firefox? I'm certainly getting a lot more email these days from people who have made the move first from MSIE to Firefox and now to Google Chrome and seem particularly happy with the combination of speed and security that is offers, for now. How they will react when the inevitable first really big Chrome security hole appears remains to be seen. In the world of browser client security the mantra appears to be the bigger they are the harder it is not to fall, as market share attracts hacker attention. Chrome will, as it continues to gain momentum and market share, discover this soon enough I suspect. That said, so far I've been very impressed with the newest client on the block.

Of course, going back to Pwn2Own, it's not the first time that Firefox has been in trouble here. While Chrome has, so far, stood alone as secure in the face of the Pwn2Own hackers with even the Mac getting hacked in under 10 seconds last year.

62 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Ezzaral 2,714

Looks like they pushed 3.6.2 a bit early. I got an update alert today for it.

Cool. Not had mine yet, but then I'm using Chrome most of the time anyway now.