Mozilla Quickly Patches Two Zero-Day Vulnerabilities Exposed at Pwn2Own Vancouver 2024

March 22, 2024

Mozilla has issued security patches to address two zero-day vulnerabilities that were exploited in its Firefox web browser during the Pwn2Own Vancouver 2024 hacking competition. These vulnerabilities were exploited by Manfred Paul (@_manfp), who was awarded $100,000 and 10 Master of Pwn points for his efforts.

The first vulnerability, identified as CVE-2024-29944, is an out-of-bounds (OOB) write flaw that could allow an attacker to execute arbitrary code remotely and escape Mozilla Firefox's sandbox by exploiting an exposed dangerous function flaw (CVE-2024-29943). Mozilla defined the first vulnerability as a privileged JavaScript execution via event handlers that could permit an attacker to execute arbitrary code in the parent process of the Firefox Desktop web browser.

The second vulnerability allows attackers to access a JavaScript object out-of-bounds by exploiting range-based bounds check elimination on vulnerable systems. Mozilla clarified, 'An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.'

Mozilla addressed these security flaws in Firefox 124.0.1 and Firefox ESR 115.9.1 to prevent potential remote code execution attacks targeting unpatched web browsers on desktop devices. These two security vulnerabilities were patched just a day after they were exploited and reported by Manfred Paul at the Pwn2Own hacking competition. Despite this, vendors typically take their time to release patches as they have 90 days to issue fixes before Trend Micro's Zero Day Initiative publicly discloses them.

The Pwn2Own 2024 Vancouver competition concluded on March 22, with security researchers earning a total of $1,132,500 for demonstrating 29 zero-day exploits and exploit chains over the course of the two-day contest. Manfred Paul emerged as the winner of this year's edition, earning 25 Master of Pwn points and $202,500 in cash prizes for also successfully exploiting vulnerabilities in the Apple Safari, Google Chrome, and Microsoft Edge web browsers. On the first day of the competition, he achieved remote code execution (RCE) in Safari via a PAC bypass and an integer underflow bug zero-day combination. He also showcased a double-tap RCE exploit targeting an Improper Validation of Specified Quantity in Input vulnerability to take down Chrome and Edge.

Over the course of the last three Pwn2Own hacking contests (Toronto, Tokyo Automotive, and Vancouver), ZDI has awarded a total of $3,494,750 and two Tesla Model 3 cars.

Latest News

• China-Linked Threat Cluster Exploits Connectwise, F5 Software Vulnerabilities
• Critical Fortinet RCE Bug Exploited in Attacks: Security Researchers Release PoC Exploit
• Ivanti Alerts Customers to Critical Sentry RCE Vulnerability, Releases Urgent Patch
• Atlassian Patches Over Two Dozen Vulnerabilities Including a Critical Bug in Bamboo
• Rise in Ransomware, Cryptomining, and RAT Attacks Due to TeamCity Vulnerability