Mozilla swiftly addresses two zero-day vulnerabilities discovered during the Pwn2Own Vancouver 2024 hacking competition, where researcher Manfred Paul exploited them to showcase his skills. With CVE-2024-29944 and CVE-2024-29943 impacting Firefox, Mozilla releases Firefox 124.0.1 and Firefox ESR 115.9.1 to mitigate these vulnerabilities, emphasizing their commitment to user security.
Paul’s demonstration, earning him $100,000 and 10 Master of Pwn points, involved a sandbox escape using an OOB Write for the RCE and an exposed dangerous function bug.
The vulnerabilities allowed attackers to perform out-of-bounds read or write on a JavaScript object and inject event handlers into privileged objects, enabling arbitrary JavaScript execution in the parent process. These critical issues prompted Mozilla’s swift response, highlighting the importance of proactive security measures in the face of evolving cyber threats.
The Pwn2Own Vancouver 2024 hacking competition, where participants earned a total of $1,132,500 for demonstrating 29 unique zero-days, underscores the significance of such events in driving cybersecurity research and innovation.
