Patch Now: Exploits Targeting 2 Firefox Zero-Days Unveiled at Pwn2Own

Mozilla has swiftly responded to two zero-day vulnerabilities exploited during the recent Pwn2Own Vancouver 2024 hacking contest in the Firefox web browser.

During this week’s Pwn2Own Vancouver 2024 hacking competition, Trend Micro’s Zero Day Initiative (ZDI) disclosed that participants were awarded $1,132,500 for showcasing 29 distinct zero-days.

Researcher Manfred Paul (@_manfp), the winner of the competition, successfully exploited two critical vulnerabilities: CVE-2024-29944 and CVE-2024-29943.

Manfred Paul (@_manfp) achieved a Mozilla Firefox sandbox escape with an OOB Write (CVE-2024-29943) for RCE and an exposed dangerous function bug (CVE-2024-29944), earning an additional $100,000 and 10 Master of Pwn points, totaling $202,500 and 25 points, and the title of Pwn Master.

2 Firefox Zero-Days Unveiled at Pwn2Own

CVE-2024-29943: Out-Of-Bounds Access via Range Analysis Bypass Mozilla warns that attackers could exploit this vulnerability to deceive range-based bounds check elimination and execute out-of-bounds reads or writes on JavaScript objects. Firefox versions prior to 124.0.1 are susceptible to this attack. Mozilla’s advisory states, “An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.”

CVE-2024-29944: Privileged JavaScript Execution via Event Handlers This vulnerability allows attackers to inject event handlers into privileged objects, enabling arbitrary JavaScript execution in the parent process. Only desktop versions of Firefox are affected; mobile versions remain unaffected. According to Mozilla, “An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process.”

Mitigation

Mozilla has released Firefox 124.0.1 and Firefox ESR 115.9.1 to resolve both security issues. These vulnerabilities underscore the importance of maintaining rigorous security protocols and promptly applying software updates. Users can mitigate these critical risks by updating to Firefox 124.0.1.