Skip to content

Mozilla has addressed two high-severity zero-day vulnerabilities in its Firefox web browser that were exploited by security researchers during the recent Pwn2Own Vancouver 2024 hacking contest.

The first vulnerability, assigned CVE-2024-29943, is an out-of-bounds memory access issue that could allow an attacker to read or write data from unintended areas of a JavaScript object. This flaw stemmed from a mistake in Firefox’s range-based bounds check elimination process.

The second issue, tracked as CVE-2024-29944, involved the ability for an attacker to inject malicious event handlers into a privileged object within Firefox. By doing so, they could achieve arbitrary code execution within the browser’s parent process. This vulnerability only affected the desktop version of Firefox.

These zero-days were discovered and demonstrated by the security researcher Manfred Paul (@_manfp) during the Pwn2Own contest on 22nd March 2024. Paul earned $100,000 and 10 master of pwn points for exploiting the flaws to escape Firefox’s sandbox protections.

Mozilla responded swiftly, releasing Firefox version 124.0.1 and Firefox ESR 115.9.1 the following day to patch the two vulnerabilities. Users are advised to apply these updates as soon as possible to prevent potential attacks leveraging the zero-day exploits.

While there are currently no reports of these vulnerabilities being actively exploited in the wild, their severity highlights the importance of prompt security updates. Malicious parties could leverage the bugs to execute malware, steal data, or carry out other malicious actions on vulnerable systems.

To reduce exposure, individuals and organisations should ensure they have auto-updates enabled for Firefox and apply the latest security patches as they become available. Restricting the browser’s permissions and using security tools like antivirus software can also help mitigate risks.

This is a reminder that no software is immune to vulnerabilities. Even major applications like Firefox can contain critical flaws. Responsible security practices and timely patching are essential to maintaining robust protection.

Related Links: