Mozilla patches two critical zero-day vulnerabilities uncovered at Pwn2Own competition

Mozilla has issued security patches to address two zero-day vulnerabilities in its Firefox web browser, both of which were exploited during the Pwn2Own Vancouver 2024 hacking competition.

The first vulnerability, identified as CVE-2024-29943, could enable an attacker to perform an out-of-bounds read or write on a JavaScript object by tricking range-based bounds check elimination. The second vulnerability, CVE-2024-29944, could allow an attacker to inject an event handler into a privileged object, leading to arbitrary JavaScript execution in the parent process. This vulnerability specifically impacts desktop versions of Firefox and does not affect mobile versions.

Mozilla has categorized both vulnerabilities as 'critical severity' bugs, although it has not provided a CVSS score for either. The company has rectified both security flaws in Firefox 124.0.1 and Firefox ESR 115.9.1 to prevent potential remote code execution attacks targeting unpatched desktop web browsers. These vulnerabilities were exploited and disclosed at the Pwn2Own competition the previous day.

During the hacking contest, participants earned over $1.1 million. Paul Manfred, declared the winner, also hacked the Safari, Chrome, and Edge browsers, amassing over $200,000 in bug bounty rewards. He was awarded $100,000 for discovering the two Firefox zero-days.