Firefox Patches Critical Zero-Day Vulnerabilities Exposed in Pwn2Own 2024

Mozilla has issued emergency security updates to fix two critical “zero-day” vulnerabilities in the Firefox web browser. These flaws were skillfully exploited during the recent Pwn2Own Vancouver 2024 hacking contest.

Image: Zero Day Initiative

Zero-Day Dangers

Zero-day vulnerabilities are the cybersecurity equivalent of an unlocked door for hackers. They are unknown to the software vendor, meaning a patch isn’t available, and attackers can actively exploit them in the wild.

The Exploit Chain

The vulnerabilities in question, CVE-2024-29944, and CVE-2024-29943, were expertly exploited by researcher Manfred Paul (@_manfp), who not only showcased the flaws but also earned a $100,000 award and 10 Master of Pwn points for his efforts. Security researcher Manfred Paul masterfully chained together two vulnerabilities in Firefox to achieve full-blown remote code execution.

CONFIRMED! Manfred Paul (@_manfp) used an OOB Write for the RCE and an exposed dangerous function bug to achieve his sandbox escape of #Mozilla #Firefox. He earns another $100,000 and 10 Master of Pwn points, which puts him in the lead with 25. #Pwn2Own pic.twitter.com/kxDwBf17oj

— Zero Day Initiative (@thezdi) March 21, 2024

1. CVE-2024-29944 (Out-of-Bounds Write): Paul used a flaw in JavaScript event handlers to manipulate Firefox’s memory, allowing him to write code beyond the intended boundaries. This is the cyber equivalent of scribbling outside the lines.

2. CVE-2024-29943 (Exposed Dangerous Function): He then found an exposed system function in Firefox, one normally hidden from prying eyes, and leveraged it to execute his custom code, breaking him free from the protective confines of Firefox’s sandbox.

What Could the Attack Do?

Successful exploitation of these linked vulnerabilities could have allowed an attacker to:

• Install malware: Download and install malicious software on a victim’s machine.
• Steal data: Access sensitive information like passwords, financial data, or browsing history.
• Create a backdoor: Establish a hidden way to remotely control the compromised system

The Fix

Mozilla acted swiftly, releasing Firefox 124.0.1 and Firefox ESR 115.9.1 to address these security flaws.

Update Immediately!

It is crucial that all Firefox users immediately update their browsers. You can update manually by going into ‘Settings’ or ‘About Firefox,’ or your browser may update automatically.