Mozilla has swiftly patched a pair of critical Firefox zero-days after a researcher debuted them at a Vancouver cybersec competition.

Manfred Paul demonstrated the bugs at Pwn2Own last week, the latest in the series of vulnerability and exploit events run by Trend Micro's Zero Day Initiative (ZDI). The event had security experts vying to exploit the most vulnerabilities across the competition, earning cash prizes and league table points for each success.

Paul exploited two vulnerabilities, both of which were rated "critical," which is to say they are each thought to carry a severity score of 9.0 or above, although specific ratings are yet to be assigned. They're now tracked as CVE-2024-29943 and CVE-2024-29944 - an an out-of-bounds read/write and a privileged code execution bug respectively.

The full descriptions per Mozilla's advisory:

• CVE-2024-29943: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination

• CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox

The way Pwn2Own works is that researchers demonstrate how their exploit works against a target product. If it's successful, they then go into a backroom to verify it works and isn't already known to the vendor.

Each event typically has a theme - a category of products that researchers try to exploit. The recent Vancouver event incorporated all the categories on the current program, whereas the previous one focused solely on automotive hardware and software.

Within 24 hours, Mozilla verified that Paul's vulnerabilities were genuine and released patches for them. Users can upgrade to Firefox 124.0.1, released on March 22, to ensure they're protected.

"Last night, about 21 hours ago, Manfred Paul demonstrated a security exploit targeting Firefox 124 at Pwn2Own," said Frederik Braun, Firefox security engineer and manager at Mozilla, on Mastodon. "In response, we have just published Firefox 124.0.1 (and Firefox ESR 115.9.1) containing the security fix. Please update your foxes!

"Kudos to all the countless people postponing their sleep and working towards resolving this so quickly! Really impressive teamwork again. Also, kudos to Manfred for pwning Firefox again."

Some users have encountered situations where they were running Firefox 123 but couldn't upgrade directly to 124.0.1. They instead had to upgrade to 124.0, and then scan for updates a second time to get up to 124.0.1.

Braun said the team is looking into it, and assured that 124.0.1 is available to all users, but offered the following explanation in the interim.

"I'm being told that we offer partial updates from versions 122.0.1, 123.0, 123.0.1, and 124.0. But it might be that a Firefox may have already had the 124.0 metadata response cached or the 124.0 update downloaded and prepared for an update before the check for 124.0.1 came in. Could that be? Hard to tell at this point.

"Either way, I need to clarify that 124.0 was a staged roll-out. 124.0.1 is un-throttled and offered to 100 percent of our users, because security."

Pwn2Own Vancouver overview

Paul earned $100,000 for his Firefox exploits and a total prize of $202,500 for the entire two-day competition, which he won overall.

It was a bad week to be a web browser with Paul around. He collected 25 points across the competition, successfully demonstrating exploits in Apple's Safari, Chrome, and Edge.

French offensive security outfit Synacktiv came in second place, narrowly behind Paul with 20 points and a total cash haul of $200,000. The team only demonstrated one exploit: an integer overflow bug in Tesla's electronic control unit with vehicle CAN BUS control. That alone was enough for 20 points and the $200,000. They also walked away with a brand-new Tesla Model 3.

The prize of a fresh Muskmobile was actually Synacktiv's second of all time. It broke into the car during an event in 2023 and the team was awarded a model of their own. They continued their exploits during their runaway victory in January's Pwn2Own automotive competition. They picked up 50 points and a total haul of $450,000 across the three-day pwn-off.

The experts exploited the Tesla infotainment system and Tesla modem, among a slew of other in-car devices, software, and electric vehicle charging stations.

Pwn2Own Vancouver awarded $1,132,500 in total to researchers who disclosed 29 unique zero-days to vendors, with Mozilla being the first affected vendor to issue patches. ®

https://www.theregister.com//2024/03/25/mozilla_fixes_firefox_zerodays/