Patch Now for the Two Firefox Zero-Day Exploits at Pwn2Own

Two zero-day vulnerabilities in the Firefox web browser were recently exploited during the Pwn2Own Vancouver 2024 hacking competition. Mozilla is claiming to have fixed these vulnerabilities.

Participants in this week's Pwn2Own Vancouver 2024 hacking competition received $1,132,500 for showcasing 29 distinct zero-days, according to Trend Micro's Zero Day Initiative (ZDI).

Manfred Paul (@_manfp), a researcher, became victorious in the competition by using 2 crucial vulnerabilities, namely “CVE-2024-29944” & “CVE-2024-29943”.

Manfred used an exposed hazardous function bug (CVE-2024-29944) and an OOB Write (CVE-2024-29943) for the RCE to escape the Mozilla Firefox sandbox.

As a result, Firefox has granted him an extra $100,000 in addition to 10 Master of Pwn points. Thus, he was able to achieve 25 points more than the leader.

At last, Manfred Paul has been rewarded with the Pwn Master designation and received $202,500 and 25 points total.

Details of the Security Flaws Patched

Here are some details of the security flaws that the Firefox Zero-Day patches:

CVE-2024-29943: Out-Of-Bounds Access via Range Analysis bypass

Mozilla claims that a hacker might carry out an out-of-bounds read or write on a JavaScript object and fool range-based bounds check elimination. This attack can affect Firefox versions less than 124.0.1.

“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination,” Mozilla said in its advisory.

CVE-2024-29944: Privileged JavaScript Execution via Event Handlers

By injecting an event handler into a privileged object, a hacker could allow arbitrary JavaScript execution in the parent process. Only Firefox desktop versions are impacted by this issue; mobile versions are not.

“An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process,” Mozilla stated.

Patch Released

To fix both security flaws, Mozilla released “Firefox 124.0.1” & “Firefox ESR 115.9.1” updates. These vulnerabilities emphasize the importance of maintaining strict security protocols and installing software updates as soon as they become available. Users can ensure they are safe from these vulnerabilities and associated risks by updating to the Firefox 124.0.1 version.