Mozilla has swiftly patched two critical zero-day vulnerabilities in the Firefox web browser. These flaws were publicly demonstrated at the recent Pwn2Own Vancouver 2024 hacking contest.
Manfred Paul (@_manfp) earned a $100,000 award and 10 Master of Pwn points after exploiting an out-of-bounds (OOB) write flaw (CVE-2024-29944) to gain remote code execution and escaping Mozilla Firefox’s sandbox using an exposed dangerous function weakness (CVE-2024-29943).
CONFIRMED! Manfred Paul (@_manfp) used an OOB Write for the RCE and an exposed dangerous function bug to achieve his sandbox escape of #Mozilla #Firefox. He earns another $100,000 and 10 Master of Pwn points, which puts him in the lead with 25. #Pwn2Own pic.twitter.com/kxDwBf17oj
— Zero Day Initiative (@thezdi) March 21, 2024
Mozilla describes the first vulnerability as a privileged JavaScript execution via event handlers that could enable an attacker to execute arbitrary code in the parent process of the Firefox Desktop web browser.
The second one can let attackers access a JavaScript object out-of-bounds by exploiting range-based bounds check elimination on vulnerable systems.
“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination,” Mozilla explained.
Mozilla fixed the security flaws in Firefox 124.0.1 and Firefox ESR 115.9.1 to block potential remote code execution attacks targeting unpatched web browsers on desktop devices.
The two security vulnerabilities were patched only one day after Manfred Paul exploited and reported them at the Pwn2Own hacking contest.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.