Mozilla fixed Firefox zero-days exploited at Pwn2Own Vancouver 2024
Mozilla addressed two Firefox zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.
Mozilla has done an amazing job addressing two zero-day vulnerabilities in the Firefox web browser exploited during the recent Pwn2Own Vancouver 2024 hacking competition.
The researcher Manfred Paul (@_manfp), who won the competition, exploited the two vulnerabilities, respectively tracked CVE-2024-29944 and CVE-2024-29943.
On Day Two, Paul demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.
Below is the description of both issues, according to the advisory the vulnerability CVE-2024-29944 affects Desktop Firefox only, it does not affect mobile versions of Firefox:
- CVE-2024-29943: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.
- CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process.Â
Mozilla released Firefox 124.0.1 and Firefox ESR 115.9.1 to address both issues.
​Pwn2Own Vancouver 2024 hacking competition took place this week, Trend Micro’s Zero Day Initiative (ZDI) announced that participants earned $1,132,500 in the Pwn2Own Vancouver 2024 hacking competition for demonstrating 29 unique zero-days. On day one, the Team Synacktiv successfully demonstrated exploits against a Tesla car.
The researcher Manfred Paul (@_manfp) won the Master of Pwn earning $202,500 and 25 points.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mozilla)