Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own

Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own

March 22, 2024 at 01:52PM

Mozilla released security updates to fix two zero-day vulnerabilities in the Firefox web browser exploited during the Pwn2Own Vancouver 2024 hacking competition. Manfred Paul earned $100,000 and 10 Master of Pwn points after exploiting the flaws. Mozilla quickly patched the vulnerabilities in Firefox 124.0.1 and Firefox ESR 115.9.1 to prevent further attacks.

The meeting notes indicate that Mozilla has released security updates to address two zero-day vulnerabilities in the Firefox web browser that were exploited during the Pwn2Own Vancouver 2024 hacking competition.

Manfred Paul was awarded $100,000 and 10 Master of Pwn points for exploiting an out-of-bounds write flaw (CVE-2024-29944) to gain remote code execution and escaping Firefox’s sandbox using an exposed dangerous function weakness (CVE-2024-29943).

The vulnerabilities were described as enabling privileged JavaScript execution via event handlers and allowing attackers to perform an out-of-bounds read or write on a JavaScript object.

Mozilla has fixed the security flaws in Firefox 124.0.1 and Firefox ESR 115.9.1 to block potential remote code execution attacks targeting unpatched web browsers on desktop devices. These patches were released one day after the exploits were reported at the Pwn2Own hacking contest.

Additionally, the meeting notes mention that vendors usually take their time to release patches after the Pwn2Own competition, as they have 90 days to push fixes until the Zero Day Initiative publicly discloses them.

The Pwn2Own 2024 Vancouver ended on March 22, and Manfred Paul emerged as the winner after also hacking the Apple Safari, Google Chrome, and Microsoft Edge web browsers, earning a total of 25 Master of Pwn points and $202,500 in cash prizes.

Overall, the meeting notes highlight the quick response by Mozilla to patch the vulnerabilities exploited at the hacking contest and the significant impact of security researchers’ findings and exploits in the technology industry.

Full Article