2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now
Mozilla addresses two zero-day vulnerabilities that be pleased been not too long previously exploited at the Pwn2Own Vancouver 2024 hacking contest in the Firefox internet browser.
The Pwn2Own Vancouver 2024 hacking competition used to be held this week, and Pattern Micro’s Zero Day Initiative (ZDI) printed that members obtained $1,132,500 for exhibiting 29 sure zero-days.
The competition’s winner, researcher Manfred Paul (@_manfp), exploited two severe vulnerabilities, comparable to CVE-2024-29944 and CVE-2024-29943.
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams wish to triage 100s of vulnerabilities. :
- The squawk of vulnerability fatigue at the present time
- Difference between CVSS-voice vulnerability vs distress-primarily based fully vulnerability
- Evaluating vulnerabilities according to the industry affect/distress
- Automation to lower alert fatigue and strengthen security posture seriously
AcuRisQ, which lets you quantify distress accurately:
Manfred Paul (@_manfp) done his Mozilla Firefox sandbox spoil out by utilizing an OOB Write (CVE-2024-29943) for the RCE and an uncovered harmful characteristic worm (CVE-2024-29944).
He positive aspects an additional $100,000 as well to 10 Grasp of Pwn functions, putting him ahead of the lead with 25 functions.
In the end, Manfred Paul has been granted the title of Pwn Grasp. In all, he earned $202,500 and 25 functions.
Small print Of The Safety Flaws Patched
CVE-2024-29943: Out-Of-Bounds Access through Differ Prognosis bypass
In step with Mozilla, an attacker may well maybe maybe additionally deceive fluctuate-primarily based fully bounds check elimination and form an out-of-bounds read or write on a JavaScript object.
Firefox < 124.0.1 is at distress of this assault.
“An attacker used to be ready to develop an out-of-bounds read or write on a JavaScript object by fooling fluctuate-primarily based fully bounds check elimination”, Mozilla acknowledged in its advisory.
CVE-2024-29944: Privileged JavaScript Execution through Tournament Handlers
To permit arbitrary JavaScript execution in the parent job, an attacker used to be ready to inject an tournament handler staunch into a privileged object.
This vulnerability handiest affects desktop versions of Firefox; cell versions are unaffected.
“An attacker used to be ready to inject an tournament handler staunch into a privileged object that will maybe maybe permit arbitrary JavaScript execution in the parent job”, Mozilla acknowledged.
Patch Launched
Mozilla printed Firefox 124.0.1 and Firefox ESR 115.9.1 to tackle both security problems.
These flaws highlight how wanted it is to retain strict security procedures and practice tool updates as soon as they’re made on hand.
By updating to Firefox 124.0.1, users can make sure they’re valid from these severe vulnerabilities and any connected risks.
Cease unsleeping so some distance on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Source credit : cybersecuritynews.com
