Mozilla fixed Firefox zero-days exploited at Pwn2Own Vancouver 2024
March 23, 2024
Mozilla addressed two Firefox zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.
Mozilla has done an amazing job addressing two zero-day vulnerabilities in the Firefox web browser exploited during the recent Pwn2Own Vancouver 2024 hacking competition.
The researcher Manfred Paul (@_manfp), who won the competition, exploited the two vulnerabilities, respectively tracked CVE-2024-29944 and CVE-2024-29943.
On Day Two, Paul demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.
Below is the description of both issues, according to the advisory the vulnerability CVE-2024-29944 affects Desktop Firefox only, it does not affect mobile versions of Firefox:
- CVE-2024-29943: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.
- CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process.
Mozilla released Firefox 124.0.1 and Firefox ESR 115.9.1 to address both issues.
Pwn2Own Vancouver 2024 hacking competition took place this week, Trend Micro’s Zero Day Initiative (ZDI) announced that participants earned $1,132,500 in the Pwn2Own Vancouver 2024 hacking competition for demonstrating 29 unique zero-days. On day one, the Team Synacktiv successfully demonstrated exploits against a Tesla car.
The researcher Manfred Paul (@_manfp) won the Master of Pwn earning $202,500 and 25 points.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Mozilla)