Mozilla releases security patches to fix critical zero-day bugs in Firefox

Mozilla recently released security patches to fix two critical zero-day vulnerabilities in Firefox 124.0.1 and one in Firefox ESR 115.9.1. It became the first vendor to release patches for critical bugs discovered during the Pwn2Own Vancouver 2024.

Mozilla fixes two security vulnerabilities in Firefox 124.0.1 and one in Firefox ESR 115.9.1

A recent tweet by Zero Day Initiatives confirmed that Manfred Paul won $10000 and 10 Master of Pwn points at the Pwn2Own 2024 as he exploited the Out-of-bounds (OOB) Write flaw for the Remote Code Execution (RCE) and escaped Firefox’s sandbox using an exposed dangerous function.

It is worth noting that Paul topped the leaderboard with 25 Master of Pwn points at the hacking competition.

Talking about the first security vulnerability (CVE-2024-29943), Mozilla explained:

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.

Additionally, Mozilla also talked about the second vulnerability (CVE-2024-29944) that affected Firefox on desktop devices:

An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox.

Mozilla acted quickly on the identified vulnerabilities and rolled out security patches for Firefox a day later. Moreover, a security patch is also released in Firefox ESR 115.9.1 to block RCE attacks targeting Firefox on desktop devices.