2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now


Mozilla addresses two zero-day vulnerabilities that were recently exploited at the Pwn2Own Vancouver 2024 hacking contest in the Firefox web browser. 

The Pwn2Own Vancouver 2024 hacking competition was held this week, and Trend Micro’s Zero Day Initiative (ZDI) revealed that participants received $1,132,500 for exhibiting 29 distinct zero-days.

The competition’s winner, researcher Manfred Paul (@_manfp), exploited two critical vulnerabilities, such as CVE-2024-29944 and CVE-2024-29943.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:


Manfred Paul (@_manfp) accomplished his Mozilla Firefox sandbox escape by using an OOB Write (CVE-2024-29943) for the RCE and an exposed dangerous function bug (CVE-2024-29944). 

He gains an additional $100,000 in addition to 10 Master of Pwn points, putting him ahead of the lead with 25 points.

Finally, Manfred Paul has been granted the title of Pwn Master. In all, he earned $202,500 and 25 points.

Details Of The Security Flaws Patched

CVE-2024-29943: Out-Of-Bounds Access via Range Analysis bypass

According to Mozilla, an attacker might deceive range-based bounds check elimination and execute an out-of-bounds read or write on a JavaScript object. 

Firefox < 124.0.1 is vulnerable to this attack.

“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination”, Mozilla said in its advisory.

CVE-2024-29944: Privileged JavaScript Execution via Event Handlers

To enable arbitrary JavaScript execution in the parent process, an attacker was able to inject an event handler into a privileged object. 

This vulnerability only affects desktop versions of Firefox; mobile versions are unaffected.

“An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process”, Mozilla said.

Patch Released

Mozilla published Firefox 124.0.1 and Firefox ESR 115.9.1 to address both security issues.

These flaws highlight how crucial it is to keep up strict security procedures and apply software updates as soon as they are made available. 

By updating to Firefox 124.0.1, users can ensure they are safe from these critical vulnerabilities and any related risks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link