In a twisted reverse April fool, Mozilla decided to anticipate the release from April the 1st: it’s today, folks.
As you may already know, it fixes:
- the mysterious flaw exploited by “Nils” at the CanSecWest Pwn2Own contest, at the speed of light (the IE8 and Safari vulnerabilities revealed the same day are still unpatched);
- the XLST processing bug which I wrote about yesterday.
Since we can (un)safely assume this is not the only potentially exploitable XSLT parser bug hanging around, today I released the NoScript 126.96.36.199 development build, featuring specific XSLT protection: XSL stylesheets won’t be processed unless they’re from a trusted source and their parent document is trusted as well. This countermeasure effectively prevents malicious sites from crashing (or, worse, compromising) your browser through this or any other XSLT bug discovered in future. As NoScript’s motto says, defeating “exploitation of security vulnerabilities, known and even not known yet!” :)