Just days before the start of a hacking contest set to target Web browser vulnerabilities, Mozilla has patched its flagship Firefox browser. Just days before the start of a hacking contest set to target Web browser vulnerabilities, Mozilla has patched its flagship Firefox browser.The Firefox 3.6.2 update fixes a critical bug in a font decompression routine that could be exploited to “crash a victim’s browser and execute arbitrary code on his/her system,” Mozilla said in a security advisory, released late Monday. Mozilla had been under pressure to fix the bug, after it was included by Russian security researcher Evgeny Legerov last month in his VulnDisco hacking tool, which is sold as an add-on to the Canvas penetration testing kit. The Firefox team had expected to fix the issue next week, but decided to rush out an earlier update, apparently out of concern that Legerov’s code could be misused.The flaw affects Firefox 3.6, but not earlier versions of the browser, Mozilla said. In his February forum post disclosing the vulnerability, Legerov said that it affected the browser running on Windows XP and Vista.The flaw lies in the way Firefox implements a Web-based font standard called the Web Open Font Format. The Firefox update comes as hackers prepare to compete in a three-day contest at Vancouver’s CanSecWest security conference. During the Pwn2Own event, contestants will try to break into computers by leveraging previously undisclosed bugs in Firefox, Internet Explorer, Safari, and Chrome. Winners will take home the laptop they break into, as well as a US$10,000 cash prize.Mozilla is in good company, updating its software ahead of the contest. Apple and Google have also fixed their browsers in the past few weeks.Contest organizers had previously stated that Legerov’s bug wouldn’t count if used in their contest, however, since it’s already been disclosed.Firefox 3.6.2 is available for Windows, Mac, and Linux users. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe