Firefox and Chrome patched ALREADY after Pwn2own - now the pressure is on for IE and Microsoft!

[anuseems]

Mozilla and Google have already pushed out patches to stop the exploits that got past their browsers at this year's PWN2OWN competition!

Firefox goes to version 19.0.2, fixing what Mozilla describes as a Use-after-free in HTML Editor:

→ Mac and Linux users of Firefox may be wondering where 19.0.1 went, as they won't have seen such a version. It was a Windows-only update to deal with some Windows-specific graphics card troubles. There were no security fixes in it.

Chrome goes to version 25.0.1364.160, fixing what Google calls a Type confusion in WebKit:

These updates certainly throw down the gauntlet to Microsoft, whose Internet Explorer 10 browser was also successfully breached in the competition.

Microsoft has already announced - or "pre-announced", whatever that means - the fixes that are coming in next week's Patch Tuesday, and for obvious reasons, the vulnerability revealed yesterday is not one of them.

So it's hard to imagine Microsoft being ready with a fix before next month, let alone by next week.

Redmond, to be fair, has many more products with much more complex inter-relationships to juggle than Mozilla, and even Google.

But since Internet Explorer is supposed to be "just another application" as far as Windows (and certainly the European Union) is concerned, you'd have to think that it's still within the bounds of possibility for Microsoft to do something before next Tuesday rolls around.

Even if it's only a temporary Fixit patch, or a consumer-centric patch pushed to non-corporate users only.

For Microsoft to get out an IE patch in time for next week would be a strong technical showing, a great security outcome, and a fantastic marketing manoeuvre.

While we wait for Redmond, let's congratulate the Mozilla and the Chrome teams on their speedy responses.

And let's remember, too, that this story shows that the scales aren't inevitably tipped in the Bad Guys' favour, as we so often hear people complain.

Word on the street is that the exploits deployed in this year's PWN2OWN didn't come easily, taking weeks or even months of dedicated effort to uncover, while the patches, at least for the open-source browser codebases, came really quickly.

It's nice to know that ever more security really is getting baked into the browser software with which we confront the perils of the internet!Patch Tuesday is bringing seven security fixes, with Microsoft deeming four of them "drop-everything-and-fix-this-now" critical.

The patches are for Windows, Internet Explorer and Office, as well as a sprinkling for Windows Server and Silverlight.

Microsoft says that four of the patches will address "critical" vulnerabilities.

"Critical" is, of course, Microsoft's highest severity rating.

It covers self-propagating malware such as network worms or common-use scenarios in which code is executed without warning or prompt, such as when users open booby-trapped email or suffer drive-by attacks from maliciously rigged webpages.

In this patch go-round, Microsoft warns that critical flaws might allow for remote code execution on Windows, IE, Silverlight and Office.

Another critical vulnerability would allow for elevation of privilege on Office and Server Software.

Flaws rated "important" could lead to elevation of user privileges or the disclosure of user data or personal information.

On Microsoft's vulnerability executive summary page, the company says that two of the patches address publicly disclosed holes - in Windows and Exchange Server.

One of those two security updates, bulletin MS13-011, addresses a Windows vulnerability that would allow remote code execution via a boobytrapped media file, such as an .mpg; an Office document, such as a .ppt file containing a rigged and embedded media file; or maliciously crafted streaming content.

Hackers exploiting that vulnerability could gain the same user rights as the current user.

Bulletin MS13-012, an update for the second publicly disclosed vulnerability, fixes a Microsoft Exchange Server WebReady Document Viewing hole that could also allow remote code execution.

The problem here is with the security context of the transcoding service on the Exchange server when a user previews a maliciously crafted file using Outlook Web App (OWA).

Of course, as soon as Tuesday comes, malicious hackers will be glued to their screens. They'll be checking out Microsoft's patches and will get to work on code to exploit computers whose owners or system administrators haven't patched, pronto.

As for the vulnerabilities that have been publicly disclosed, well, those attackers have that much more of a head-start.

This month, as with every Patch Tuesday, the longer you wait to apply the security patches, the more time attackers will have to finesse, and launch, their attacks.

So don't delay: patch as soon as possible.

On the surface of it, March doesn't look half as gnarly as the monster-sized 57 updates that Microsoft dumped on our doorsteps in February.

But numbers don't tell the whole story. For every corporation, every patch brings the possibility of conflicts.

So this week, tiptoe gently around the support people. Lord knows they'll be busy making sure the place stays afloat.

@ http://nakedsecurity.sophos.com/2013/03/08/firefox-and-chrome-patched-already-after-pwn2own-now-the-pressure-is-on-for-ie-and-microsoft/

[demoneye]

for ages users find holes in all browser , is a loose was google and Moziila :D