Mozilla Patches Zeroday Vulnerabilities identified during Pwn2Own
Share this:
Mozilla has issued emergency security updates to fix two critical “zero-day” vulnerabilities in the Firefox web browser. These flaws were skilfully exploited during the recent Pwn2Own Vancouver 2024 hacking contest.
The vulnerabilities tracked as, CVE-2024-29944, and CVE-2024-29943, were expertly exploited by researcher Manfred Paul (@_manfp), who not only showcased the flaws but also earned a $100,000 award and 10 Master of Pwn points for his efforts. Security researcher Manfred Paul masterfully chained together two vulnerabilities in Firefox to achieve full-blown remote code execution.
CVE-2024-29944 (Out-of-Bounds Write): Paul used a flaw in JavaScript event handlers to manipulate Firefox’s memory, allowing him to write code beyond the intended boundaries. This is the cyber equivalent of scribbling outside the lines.
CVE-2024-29943 (Exposed Dangerous Function): He then found an exposed system function in Firefox, one normally hidden from prying eyes, and leveraged it to execute his custom code, breaking him free from the protective confines of Firefox’s sandbox.
Successful exploitation of these linked vulnerabilities could have allowed an attacker to perform malicious activities.
Mozilla acted swiftly, releasing Firefox 124.0.1 and Firefox ESR 115.9.1 to address these security flaws. It is crucial that all Firefox users immediately update their browsers. You can update manually by going into ‘Settings’ or ‘About Firefox,’ or your browser may update automatically.
