2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Mozilla addresses two zero-day vulnerabilities that were recently exploited at the Pwn2Own Vancouver 2024 hacking contest in the Firefox web browser.
The Pwn2Own Vancouver 2024 hacking competition was held this week, and Trend Micro’s Zero Day Initiative (ZDI) revealed that participants received $1,132,500 for exhibiting 29 distinct zero-days.
The competition’s winner, researcher Manfred Paul (@_manfp), exploited two critical vulnerabilities, such asCVE-2024-29944 and CVE-2024-29943.
Manfred Paul (@_manfp) accomplished his Mozilla Firefox sandbox escape by using an OOB Write (CVE-2024-29943) for the RCE and an exposed dangerous function bug (CVE-2024-29944).
He gains an additional $100,000 in addition to 10 Master of Pwn points, putting him ahead of the lead with 25 points.
Finally, Manfred Paul has been granted the title of Pwn Master. In all, he earned $202,500 and 25 points.
Details Of The Security Flaws Patched
CVE-2024-29943: Out-Of-Bounds Access via Range Analysis bypass
According to Mozilla, an attacker might deceive range-based bounds check elimination and execute an out-of-bounds read or write on a JavaScript object.
Firefox < 124.0.1 is vulnerable to this attack.
“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination”, Mozilla said in its advisory.
CVE-2024-29944: Privileged JavaScript Execution via Event Handlers
To enable arbitrary JavaScript execution in the parent process, an attacker was able to inject an event handler into a privileged object.
This vulnerability only affects desktop versions of Firefox; mobile versions are unaffected.
“An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process”, Mozilla said.
Patch Released
Mozilla published Firefox 124.0.1 and Firefox ESR 115.9.1 to address both security issues.
These flaws highlight how crucial it is to keep up strict security procedures and apply software updates as soon as they are made available.
#Cyber_Security_News #FireFox #Vulnerability #Cybersecurity_Patch #Firefox_Zero-days #Pwn2Own_Vancouver_2024
Оригинальная версия на сайте:
2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now
Author: Guru BaranMozilla addresses two zero-day vulnerabilities that were recently exploited at the Pwn2Own Vancouver 2024 hacking contest in the Firefox web browser.
The Pwn2Own Vancouver 2024 hacking competition was held this week, and Trend Micro’s Zero Day Initiative (ZDI) revealed that participants received $1,132,500 for exhibiting 29 distinct zero-days.
The competition’s winner, researcher Manfred Paul (@_manfp), exploited two critical vulnerabilities, such asCVE-2024-29944 and CVE-2024-29943.
Manfred Paul (@_manfp) accomplished his Mozilla Firefox sandbox escape by using an OOB Write (CVE-2024-29943) for the RCE and an exposed dangerous function bug (CVE-2024-29944).
He gains an additional $100,000 in addition to 10 Master of Pwn points, putting him ahead of the lead with 25 points.
Finally, Manfred Paul has been granted the title of Pwn Master. In all, he earned $202,500 and 25 points.
Details Of The Security Flaws Patched
CVE-2024-29943: Out-Of-Bounds Access via Range Analysis bypass
According to Mozilla, an attacker might deceive range-based bounds check elimination and execute an out-of-bounds read or write on a JavaScript object.
Firefox < 124.0.1 is vulnerable to this attack.
“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination”, Mozilla said in its advisory.
CVE-2024-29944: Privileged JavaScript Execution via Event Handlers
To enable arbitrary JavaScript execution in the parent process, an attacker was able to inject an event handler into a privileged object.
This vulnerability only affects desktop versions of Firefox; mobile versions are unaffected.
“An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process”, Mozilla said.
Patch Released
Mozilla published Firefox 124.0.1 and Firefox ESR 115.9.1 to address both security issues.
These flaws highlight how crucial it is to keep up strict security procedures and apply software updates as soon as they are made available.
#Cyber_Security_News #FireFox #Vulnerability #Cybersecurity_Patch #Firefox_Zero-days #Pwn2Own_Vancouver_2024
Оригинальная версия на сайте:
