2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now

Mozilla addresses two zero-day vulnerabilities that were recently exploited at the Pwn2Own Vancouver 2024 hacking contest in the Firefox web browser.

The Pwn2Own Vancouver 2024 hacking competition was held this week, and Trend Micro’s Zero Day Initiative (ZDI) revealed that participants received $1,132,500 for exhibiting 29 distinct zero-days.

The competition’s winner, researcher Manfred Paul (@_manfp), exploited two critical vulnerabilities, such as CVE-2024-29944 and CVE-2024-29943.

Manfred Paul (@_manfp) accomplished his Mozilla Firefox sandbox escape by using an OOB Write (CVE-2024-29943) for the RCE and an exposed dangerous function bug (CVE-2024-29944).

He gains an additional $100,000 in addition to 10 Master of Pwn points, putting him ahead of the lead with 25 points.

Finally, Manfred Paul has been granted the title of Pwn Master. In all, he earned $202,500 and 25 points.

Details Of The Security Flaws Patched

CVE-2024-29943: Out-Of-Bounds Access via Range Analysis bypass

According to Mozilla, an attacker might deceive range-based bounds check elimination and execute an out-of-bounds read or write on a JavaScript object.

Firefox < 124.0.1 is vulnerable to this attack.

“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination”, Mozilla said in its advisory.

CVE-2024-29944: Privileged JavaScript Execution via Event Handlers

To enable arbitrary JavaScript execution in the parent process, an attacker was able to inject an event handler into a privileged object.

This vulnerability only affects desktop versions of Firefox; mobile versions are unaffected.

“An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process”, Mozilla said.