Issue
The pwn2own bug that Nils discovered at CanSecWest 2009 and the XSLT vulnerability recently made public by Guido Landi (http://www.securityfocus.com/bid/34235) are both critical issues that can result in malicious code execution.
Impact
These issues can be exploited by tricking a user into visiting a malicious web page hosting the exploit code. The pwn2own bug can be mitigated by disabling JavaScript.
Status
Both issues have been investigated and fixes have been developed which are now undergoing quality assurance testing. These fixes will be included in the upcoming Firefox 3.0.8 release, due to be released by April 1. You can follow our work in bugzilla.
Credit
The pwn2own bug was reported to Mozilla by Nils via the Zero Day Initiative (ZDI). The XSLT issue was discovered on http://www.milw0rm.com/exploits/8285, credited to Guido Landi.
Ross
wrote on
Kurt
wrote on
Angus Scott-Fleming
wrote on
Ross
wrote on
Colin
wrote on
Evan L
wrote on
Nikolai
wrote on
Phil
wrote on
Hugo
wrote on
RyanVM
wrote on
Daniel Veditz
wrote on
Giorgio Maone
wrote on
Eddie Johnson
wrote on
Michael Tero
wrote on
Lori Coffman
wrote on
PC.Tech
wrote on