Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own

Mozilla has released security updates to fix two zero-day vulnerabilities in the Firefox web browser exploited during the Pwn2Own Vancouver 2024 hacking competition.

Manfred Paul (@_manfp) earned a $100,000 award and 10 Master of Pwn points after exploiting an out-of-bounds (OOB) write flaw (CVE-2024-29944) to gain remote code execution and escaping Mozilla Firefox's sandbox using an exposed dangerous function weakness (CVE-2024-29943).

Mozilla describes the first vulnerability as a privileged JavaScript execution via event handlers that could enable an attacker to execute arbitrary code in the parent process of the Firefox Desktop web browser.

The second one can let attackers access a JavaScript object out-of-bounds by exploiting range-based bounds check elimination on vulnerable systems.

"An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination," Mozilla explained.

Mozilla fixed the security flaws in Firefox 124.0.1 and Firefox ESR 115.9.1 to block potential remote code execution attacks targeting unpatched web browsers on desktop devices.

​The two security vulnerabilities were patched only one day after Manfred Paul exploited and reported them at the Pwn2Own hacking contest.

However, after the Pwn2Own competition, vendors usually take their time to release patches as they have 90 days to push fixes until Trend Micro's Zero Day Initiative publicly discloses them.

Pwn2Own 2024 Vancouver ended on March 22 after security researchers earned $1,132,500 for 29 zero-day exploits and exploit chains demonstrated over the two days of the contest.

Manfred Paul won this year's edition with 25 Master of Pwn points and $202,500 in cash prizes after also hacking the Apple Safari, Google Chrome, and Microsoft Edge web browsers.

On the first day, he gained remote code execution (RCE) in Safari via a PAC bypass and an integer underflow bug zero-day combo. He also demoed a double-tap RCE exploit targeting an Improper Validation of Specified Quantity in Input weakness to take down Chrome and Edge.

ZDI has awarded a total of $3,494,750 and two Tesla Model 3 cars during the last three Pwn2Own hacking contests (Toronto, Tokyo Automotive, and Vancouver).