Mozilla fixes Firefox, Thunderbird zero-days exploited at Pwn2Own

by | May 25, 2022 | News

mozilla zero-day vulnerability Pwn2Own

Post Views: 320

Premium Content

patreon

Subscribe to Patreon to watch this episode.

 

Reading Time: 1 Minute

Mozilla has released security updates for multiple products to address zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2022 hacking contest.

 

 

 

If exploited, the two critical flaws can let attackers gain JavaScript code execution on mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

The zero-days have been fixed in Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1.

Manfred Paul (@_manfp) earned $100,000 and 10 Master of Pwn points after demoing prototype pollution and improper input validation bugs on the first day of Pwn2Own.

The first vulnerability is a prototype pollution in Top-Level Await implementation (tracked as CVE-2022-1802) that can let an attacker corrupt the methods of an Array object in JavaScript using prototype pollution to achieve JavaScript code execution in a privileged context.

The second one (CVE-2022-1529) allows attackers to abuse Java object indexing improper input validation in prototype pollution injection attacks.

“An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process,” Mozilla explained.

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

 

The Cybersecurity and Infrastructure Security Agency (CISA) also encouraged admins and users on Monday to patch these security flaws, given that threat actors could exploit them to “take control of an affected system.”

Mozilla patched these vulnerabilities two days after they were exploited and reported at the Pwn2Own hacking contest by Manfred Paul.

However, vendors don’t usually hurry to release patches after Pwn2Own since they have 90 days to push security fixes until Trend Micro’s Zero Day Initiative publicly discloses them.

 

 

 
 
 

See Also: Kali Linux 2022.2 released with new tools, terminal tweaks and more

 

 

 

 

See Also: Recon Tool: Dorks collections list

 

 

Pwn2Own 2022 Vancouver ended on May 20 after 17 competitors earned $1,155,000 for zero-day exploits and exploit chains demonstrated over three days after 21 attempts.

Security researchers also earned $400,000 for 26 zero-day exploits targeting ICS and SCADA products demoed between April 19 and April 21 during the 2022 Pwn2Own Miami contest.

 

 

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: Write up: Find hidden and encrypted secrets from any website

 

Source: www.bleepingcomputer.com

Source Link

 

 

 

 

 

Merch

Share This