Article Details
Scrape Timestamp (UTC): 2024-03-22 17:50:13.886
Original Article Text
Click to Toggle View
Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own. Mozilla has released security updates to fix two zero-day vulnerabilities in the Firefox web browser exploited during the Pwn2Own Vancouver 2024 hacking competition. Manfred Paul (@_manfp) earned a $100,000 award and 10 Master of Pwn points after exploiting an out-of-bounds (OOB) write flaw (CVE-2024-29944) to gain remote code execution and escaping Mozilla Firefox's sandbox using an exposed dangerous function weakness (CVE-2024-29943). Mozilla describes the first vulnerability as a privileged JavaScript execution via event handlers that could enable an attacker to execute arbitrary code in the parent process of the Firefox Desktop web browser. The second one can let attackers access a JavaScript object out-of-bounds by exploiting range-based bounds check elimination on vulnerable systems. "An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination," Mozilla explained. Mozilla fixed the security flaws in Firefox 124.0.1 and Firefox ESR 115.9.1 to block potential remote code execution attacks targeting unpatched web browsers on desktop devices. The two security vulnerabilities were patched only one day after Manfred Paul exploited and reported them at the Pwn2Own hacking contest. However, after the Pwn2Own competition, vendors usually take their time to release patches as they have 90 days to push fixes until Trend Micro's Zero Day Initiative publicly discloses them. Pwn2Own 2024 Vancouver ended on March 22 after security researchers earned $1,132,500 for 29 zero-day exploits and exploit chains demonstrated over the two days of the contest. Manfred Paul won this year's edition with 25 Master of Pwn points and $202,500 in cash prizes after also hacking the Apple Safari, Google Chrome, and Microsoft Edge web browsers. On the first day, he gained remote code execution (RCE) in Safari via a PAC bypass and an integer underflow bug zero-day combo. He also demoed a double-tap RCE exploit targeting an Improper Validation of Specified Quantity in Input weakness to take down Chrome and Edge. ZDI has awarded a total of $3,494,750 and two Tesla Model 3 cars during the last three Pwn2Own hacking contests (Toronto, Tokyo Automotive, and Vancouver).
Daily Brief Summary
Mozilla has released updates to fix two zero-day vulnerabilities that were exploited in the Firefox browser during the Pwn2Own Vancouver 2024 event.
Researcher Manfred Paul received a $100,000 reward for discovering and demonstrating the flaws, which allowed for remote code execution and sandbox escape.
The first vulnerability allowed arbitrary code execution through Firefox's event handlers, while the second involved an out-of-bounds write on a JavaScript object.
The vulnerabilities, identified as CVE-2024-29944 and CVE-2024-29943, were patched in versions Firefox 124.0.1 and Firefox ESR 115.9.1.
Fixes were issued just one day after the zero-day exploits were reported at the contest, significantly quicker than the typical 90-day disclosure deadline provided by Trend Micro's Zero Day Initiative.
In total, participants at the Pwn2Own Vancouver 2024 earned over $1 million for exploiting 29 zero-day vulnerabilities, with Manfred Paul leading the event in cash prizes and points.
The event showcased the vulnerabilities of major browsers, including Firefox, Safari, Chrome, and Edge, and emphasized the ongoing importance and value of ethical hacking in cybersecurity.