Mozilla fixed Firefox zero-days exploited at Pwn2Own Vancouver 2024

Mozilla addressed two Firefox zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.

Mozilla has done an amazing job addressing two zero-day vulnerabilities in the Firefox web browser exploited during the recent Pwn2Own Vancouver 2024 hacking competition.

The researcher Manfred Paul (@_manfp), who won the competition, exploited the two vulnerabilities, respectively tracked CVE-2024-29944 and CVE-2024-29943.

On Day Two, Paul demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.

Below is the description of both issues, according to the advisory the vulnerability CVE-2024-29944 affects Desktop Firefox only, it does not affect mobile versions of Firefox:

  • CVE-2024-29943: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.
  • CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. 

Mozilla released Firefox 124.0.1 and Firefox ESR 115.9.1 to address both issues.

​Pwn2Own Vancouver 2024 hacking competition took place this week, Trend Micro’s Zero Day Initiative (ZDI) announced that participants earned $1,132,500 in the Pwn2Own Vancouver 2024 hacking competition for demonstrating 29 unique zero-days. On day one, the Team Synacktiv successfully demonstrated exploits against a Tesla car.

The researcher Manfred Paul (@_manfp) won the Master of Pwn earning $202,500 and 25 points.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mozilla)