Johnathan Nightingale, senior director of Firefox engineering, on Monday said Mozilla was delaying Firefox 11’s launch to examine a bug unveiled at last week’s Pwn2Own hacking contest and to give developers time to scrutinise Microsoft’s security updates.
On the last day of Pwn2Own, a two-man team – Vincenzo Iozzo and Willem Pinckaers – exploited a Firefox vulnerability to take the contest’s $30,000 second-place prise. ZDI, which sponsored the Pwn2Own hacking contest that ran last week, reported vulnerabilities used at the event to vendors on Monday.
Originally, Nightingale said that the delay would be “a day or two.” On Tuesday, he updated his post to a Mozilla blog confirming that the upgrade would go out after all.
“The security bug reported by ZDI is one we had already identified and fixed through our internal processes,” said Nightingale. “This eliminates the need for us to delay this week’s releases and we will be shipping them later today.”
Mozilla Firefox 11, is available for downloading from the company’s website. Firefox 11 includes the usual security patches, as well as a few new features noticeable to users, such as synchronising add-ons across all Firefox-equipped machines.
Also scheduled to launch today is the next security update to Firefox 3.6, the two-year-old browser that will be retired from support next month.
Pwn2Own was not the only hacking event held last week: At the same time and at the same security conference, Google hosted its inaugural Pwnium challenge where it solicited vulnerabilities and exploits for Chrome. Google paid out $120,000 to two researchers who demonstrated exploits of Chrome and its integrated sandbox.
As for Tuesday’s Windows security updates, which Nightingale acknowledged had “interacted badly with our updates before,” Mozilla was taking a different tack.
“In order to understand the impacts of Microsoft’s ‘Patch Tuesday’ fixes, we will initially release Firefox for manual updates only,” Nightingale said. “Once those impacts are understood, we’ll push automatic updates out to all of our users.”