Pwn2Own ends with Oracle Java, Reader and Adobe Flash exploits

Day two of the Pwn2Own competition at CanSecWest was again successful for French Vupen security, as they succeeded in exploiting Adobe Flash on Internet Explorer 9 on Windows 7 by chaining together three zero-days (an overflow, a ASLR bypass technique and a IE9 sandbox memory corruption) and earning themselves another $70,000.

George Hotz exploited Adobe Reader XI (also on IE 9 on Win7), and Ben Murphy - the last contestant to target Java - has also managed to earn a prize even though he wasn't there, because James Forshaw, a winner from the previous day, agreed to serve as proxy and demonstrate the attack.

All in all, ZDI has awarded over half a million dollars in cash prizes and, of course, the compromised laptops and ZDI reward points.

The Google financed Pwnium hacking contest - also held at CanSecWest - this year requires contestants to "break" Chrome OS but has so far not witnessed a successful exploitation.

In the meantime, Mozilla has already fixed the use-after-free zero-day flaw exploited yesterday by Vupen Security, and Google has issued a Chrome update that fixes the flaws discovered by the MWR Labs team.

Mozilla Releases Firefox 6 for Coders

Mozilla has officially released Firefox 6, offering a new JavaScript editor and several other tools aimed at web developers.

Over the weekend, the open source outfit posted the latest stable version of Firefox to its FTP servers, but the browser wasn't formally released on the web until Tuesday.

Firefox 6 is the second incarnation of the browser released under Mozilla's new quarterly development cycle. Previously, the organization rolled out a new Firefox every eighteen months or so, but then Google upped the ante.

With the latest version, Mozilla says, it has improved the startup time of Panorma, a means of organizing your browser tabs, and it has tweaked the "Awesome Bar" – the Firefox address bar – to make it easier to identify exactly where you are on the web. But the biggest changes are for developers.

Mozilla has added a text editor called Scratchpad that lets developers enter, execute, test, and tweak JavaScript code. The idea to offer an alternative to Firefox's Web Console or the Firebug command line, which are designed around a single-line interface. "Interaction with Scratchpad is quite different. It throws away the 'one line of input gives you a line of output' interaction in favor of a text editor that knows how to run JavaScript," Mozilla says.

But if you prefer the Web Console, Mozilla has updated it as well, improving the auto-complete tool and letting you change where the console is located. In the past, the console was anchored to the top of the browser window, but you can now move it to the bottom or open it in a separate window.

The open source outfit has also added a "Window.matchMedia" API to help developers optimize their site or web app across disparate platforms, and "Prefixed WebSockets" and "server-sent event" APIs, designed to facilitate communication between Firefox and back-end web servers.

Packed with all sorts of additional security and bug fixes, Firefox is available for Windows, Mac, and Linux. You can download it here.

Mozilla also released a new version of Firefox for Android on Tuesday, adding a new welcome screen designed to provide quicker access to various tools, working to improve image rendering, and rolling in a few tools for those building mobile web apps. This includes a "single touch events" API, for detecting screen touches and gestures, and IndexedDB API, which provides local database storage for apps that need to work offline.

The new Firefox for Android is now available from Google's Android Market.

Mozilla message to enterprise customers: "Drop dead"

The Mozilla Corporation shipped Firefox 5 this week, almost exactly three months after it shipped Firefox 4.

Does that seem like an insane tempo? Ha! Fasten your seatbelts, because Mozilla plans to ship Firefox 6 in exactly six weeks, with Firefox 7 six weeks after that, and Firefox 8 … well, you get the idea. Not coincidentally, that release schedule perfectly matches up with browser archrival Google Chrome.

At that pace, in June 2014, a mere three years from now, Firefox will be on version 29.

If you’d prefer to opt out of that breakneck development cycle, Mozilla has some guidance for you: Fuggedaboutit.

Remarkably, that is Mozilla’s direct, uncensored response to its corporate partners.

If you are even considering migrating your business to Firefox, I strongly recommend you read two recent blog posts by consultant Mike Kaply.

Kaply, whose consulting company specializes in customizing Firefox for enterprises, calls the new rapid-release policy “a really bad idea.” The worst part is that with each new release, Mozilla is completely dropping support for the previous one.

Unlike consumers, who are thrilled at the chance to install new code every six weeks, enterprises crave stability:

Companies simply can’t turn around major browser updates in six weeks (and each one of these is a major update). With security releases, there was a reasonable expectation that web applications wouldn’t break as a result of changes. With these releases, there is no such expectation. So a full test cycle needs to be run with every release. By the time this cycle is completed and the browser is piloted and deployed, another version of Firefox would already be released so they’d already be behind.

In a follow-up post, Kaply quotes two fellow enterprise admins who are extremely worried about their ability to support Firefox.

So, has Mozilla reached out to Kaply to reassure him that they’ve got his back? No. In fact, Firefox evangelist Asa Dotzler showed up in the comments of Kaply’s post to tell him, bluntly, that he can expect zero support:

Mike, you do realize that we get about 2 million Firefox downloads per day from regular user types, right? Your “big numbers” here are really just a drop in the bucket, fractions of fractions of a percent of our user base.
Enterprise has never been (and I’ll argue, shouldn’t be) a focus of ours. Until we run out of people who don’t have sysadmins and enterprise deployment teams looking out for them, I can’t imagine why we’d focus at all on the kinds of environments you care so much about.

Some 14 hours later, after Kaply argues that Mozilla should “throw a few resources at [the problem] and try to solve it,” Dotzler doubles down:

A minute spent making a corporate user happy can better be spent making many regular users happy. I’d much rather Mozilla spending its limited resources looking out for the billions of users that don’t have enterprise support systems already taking care of them.

You hear that, enterprise admins? You don’t count, and Mozilla has no intention of supporting your extensive investments in testing browser releases before deployment. And if you think that’s just a misunderstanding, Dotzler wants to make it very, very clear that Mozilla is serious:

As for John’s concern, “By the time I validate Firefox 5, what guarantee would I have that Firefox 5 won’t go EOL [end of life] when Firefox 6 is released?” 

He has the opposite of guarantees that won’t happen. He has my promise that it will happen. Firefox 6 will be the EOL of Firefox 5. And Firefox 7 will be the EOL for Firefox 6.

Update: As of June 24, 2011, less than six weeks before the scheduled release of Firefox 5, this is the published product roadmap for that release:

• TBD
• TBD
• TBD
• …anything that improves responsiveness and is ready
• …anything that improves stability and is ready
• …anything that polishes the user interface and is ready
• …anything else serving product priorities and is ready

That’s also the “roadmap” for versions 6 and 7, both due before the end of the year. If you’re developing on the Mozilla platform, is that enough information for you?

Source: Zdnet

Firefox 5 Now Available for Download

Just three months after the release of Firefox 4, Mozilla has pushed out Firefox 5 for the desktop and Android devices.

That’s a big change from the two years it took to move from Firefox 3.5 to Firefox 4. Firefox 5 is part of Mozilla’s new rapid release development cycle. This cycle, which is more akin to what Google does with its Chrome browser, promises faster, more iterative updates. With any luck, Mozilla expects Firefox to hit version 7 by the end of the year.

Visually, Firefox 5 looks identical to Firefox 4. Everything we said in our Firefox 4 review applies to this release.

Rather than reinventing the wheel, Mozilla has added better support for web standards, fixed some bugs, made performance enhancements and added a few additional code touches.

The big new features, courtesy of the release notes include:

• Support for CSS animations


• Better visibility for the Do-Not-Track header preference


• Improved canvas and JavaScript support


• Better standards support for canvas, HTML5, XHR, MathML and SMIL


• Better tuned HTTP idle connection logic

In another move that mimics what Google does with Chrome, Mozilla now has more options for users who want to partake in the beta and testing process. In addition to nightly and beta channel releases, users can also opt to use the new Aurora channel, which will give users access to features before they hit beta, but with limited QA testing that you don’t get with nightly releases. This is akin to Chrome’s developer channel.

In my tests, Firefox 5 is fast — even faster than Firefox 4. I also love the more frequent update cycle, because it means that the browser will be more able to support the latest and greatest browser features.

To update to the latest Firefox, click on the “check for updates” button in the “About Firefox” menu. In the comments, let me know your thoughts of the new Firefox and its more frequent release cycle.

Firefox 5 Gets Faster Connections, Up Next: Memory Improvements

Firefox 5 is a week away from being released as a final version. The browser is expected to be released as final on June 21. When you look at the changelog you will notice quite a few under the hood improvements that have not been talked about yet. HTTP Transactions sorted by CWND is one of those features. Most users probably wouldn’t associate a faster browser with that feature in particular, but the explanation on the Bugzilla site might change that.

What really distinguishes different connections to the same server is the size of the sending congestion window (CWND) on the server. If the window is large enough to support the next response document then it can all be transferred (by definition) in 1 RTT.

It basically means that Firefox may load resources faster if connection handling and priorities are changed.

I’ve done an experiment to show the best case – a link to a 25KB resource off of a page that contains a mixture of small and large content. In both cases the 25KB resource is loaded with an idle persistent connection. In the historic case it reuses a connection that had loaded a small image previously and it takes 3RTT (793ms) to transfer it.. in the case of sorting by cwnd the window is large enough to accommodate the entire resource and it is all complete in 1 RTT (363ms). Cool!

Even better, the worst case scenario is the status quo of Firefox 4. Users who are interested in a longer, more technical explanation, can visit the Bitsup blog for a taste of that.

Firefox 4 transfer

Firefox 5 transfer

The guys over at HTTPWatch have tested the new feature and found the “the performance benefit [to be] substantial”.

In other news: Firefox has a bad reputation for excessive memory usage, and related to this slow downs especially on startup or when closing the browser window. While that is certainly not the perception of all Firefox users, many perceive Firefox as a browser that uses to much memory.

The MemShrink project aims to optimize Firefox’s memory consumption. The developers list speed, stability and perception as the three core benefits of optimizing the memory usage of the Mozilla Firefox web browser.

The project members will analyze memory leak reports and prioritize them based on numbers of affected users and their default priority.

The developers have created a new website called Are We Slim Yet which tracks the process of cutting down on Firefox’s memory usage.

If things go forward as planned, we might see considerable memory footprint reductions in coming versions of the browser.