Mozilla has launched safety updates to repair two zero-day vulnerabilities within the Firefox internet browser exploited in the course of the Pwn2Own Vancouver 2024 hacking competitors.
Manfred Paul (@_manfp) earned a $100,000 award and 10 Grasp of Pwn factors after exploiting an out-of-bounds (OOB) write flaw (CVE-2024-29943) to realize distant code execution and escaping Mozilla Firefox’s sandbox utilizing an uncovered harmful operate weak point (CVE-2024-29944).
Mozilla says the primary vulnerability can let attackers entry a JavaScript object out-of-bounds by exploiting range-based bounds test elimination on weak techniques.
“An attacker was in a position to carry out an out-of-bounds learn or write on a JavaScript object by fooling range-based bounds test elimination,” Mozilla defined.
The second is described as a privileged JavaScript execution by way of occasion handlers that might allow an attacker to execute arbitrary code within the mum or dad strategy of the Firefox Desktop internet browser.
Mozilla mounted the safety flaws in Firefox 124.0.1 and Firefox ESR 115.9.1 to dam potential distant code execution assaults focusing on unpatched internet browsers on desktop units.
The 2 safety vulnerabilities had been patched solely sooner or later after Manfred Paul exploited and reported them on the Pwn2Own hacking contest.
Nevertheless, after the Pwn2Own competitors, distributors often take their time to launch patches as they’ve 90 days to push fixes till Development Micro’s Zero Day Initiative publicly discloses them.
Pwn2Own 2024 Vancouver ended on March 22 after safety researchers earned $1,132,500 for 29 zero-day exploits and exploit chains demonstrated over the 2 days of the competition.
Manfred Paul gained this 12 months’s version with 25 Grasp of Pwn factors and $202,500 in money prizes after additionally hacking the Apple Safari, Google Chrome, and Microsoft Edge internet browsers.
On the primary day, he gained distant code execution (RCE) in Safari by way of a PAC bypass and an integer underflow bug zero-day combo. He additionally demoed a double-tap RCE exploit focusing on an Improper Validation of Specified Amount in Enter weak point to take down Chrome and Edge.
ZDI has awarded a complete of $3,494,750 and two Tesla Mannequin 3 automobiles over the past three Pwn2Own hacking contests (Toronto, Tokyo Automotive, and Vancouver).