Mozilla releases fixes for Firefox, exploits Thunderbird vulnerabilities during Pwn2Own Vancouver 2022 hacking competition

Mozilla recently released a patch for Firefox and Thunderbird in response to the zero-day vulnerability discovered during the Pwn2Own Vancouver 2022 hacking competition.

Mozilla hacked in hacking contest

Mozilla quickly released patches for Zero-Day vulnerabilities discovered through its annual white hat hacking competition, CVE-2022-1802 and CVE-2022-1529.

According to Bleeping Computer, if two critical vulnerabilities are used against mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android and Thunderbird, attackers can run JavaScript code and take control of the affected device.

A tracked vulnerability like CVE-2022-1802 is the first one to be discovered from a prototype contamination in a pending Top-Level implementation.

If the malicious actor succeeds in corrupting the methods of the array object in JavaScript through the use of prototype pollution, the malicious actor will be able to execute JavaScript code that was controlled by the opponent in a privileged context.

The Zero-Day vulnerability that was discovered has been tracked as CVE-2022-1529. This vulnerability gives attackers the ability to abuse Java object indexing through incorrect input validation in order to launch pollution injection attack prototypes.

As described by Mozilla, “An attacker could have sent a message to the parent process where the contents were used to double index into a JavaScript object, contaminating the prototype and attacker-controlled JavaScript execution on the privileged parent process.”

Two days after it was discovered, exploited, and exposed in the Pwn2Own hacking competition by Manfred Paul, Mozilla released a fix to address these vulnerabilities.

However, while sellers have ninety days to roll out security solutions after Pwn2Own, they usually aren’t in a hurry to submit patches after the competition because Trend Micro’s Zero Day Initiative won’t make it public until after that time.

The company has taken the seriousness of the discovered vulnerabilities very seriously, prompting an immediate response to avoid further exploitation from malicious actors.

Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1 have been updated to patch zero-day vulnerabilities.

Read also: Mark Zuckerberg’s vision for the Metaverse gets a huge pass from Amazon Executive

Pwn2Own Hacking Contest Vancouver 2022

Mozilla vulnerabilities, including those in Windows 11, Microsoft and Tesla, were discovered at an annual hacking event in Canada.

Pwn2Own is a white hat hacking competition that started in 2007. Pwn2Own Vancouver 2022 is the fifteenth edition of the competition. The aim of this competition is for contestants to find and exploit previously unknown vulnerabilities in commonly used mobile software and devices.

Pwn2Own Vancouver 2022 hacking competition is coordinated by Trend Micro’s Zero Day Initiative (ZDI). This year, there are a total of 17 competitors striving to achieve 21 goals across a variety of categories.

According to ZDI, the company’s rewards were given to 25 different zero-day vulnerabilities that were exploited to target Tesla Model 3, Windows 11, Ubuntu, Microsoft Teams, Safari, Firefox and Oracle VirtualBox. These vulnerabilities were exploited to gain access to sensitive information.

On the first day of the event, the organizers reportedly gave a total of $800,000 to several white hat hackers.

Aside from discovering vulnerabilities in Mozilla, participants in the Pwn2Own hack also discovered vulnerabilities to hack Microsoft Teams that earned the winners $450,000 in prizes.

As Bleeping Computer reported a few days ago, Hector Peralta discovered and exploited a flaw in a poorly configured Microsoft Teams, which eventually led to the company’s downfall in the workplace communications sector. Masato Kinugawa managed to hack Microsoft Teams for the third time by taking advantage of a series of three errors: injection, misconfiguration, and sandbox escape.

Pwn2Own 2022 Vancouver expires on May 20. Over the course of three days and 21 attempts, 17 competitors demonstrated zero-day exploits and chains of loopholes that earned them a total of $1,155,000.

Related Articles: VMware’s CVE-2022-22972 and CVE-2022-22973 are now exploited; CISA orders to speed up repairs

.
#Mozilla #releases #fixes #Firefox #exploits #Thunderbird #vulnerabilities #Pwn2Own #Vancouver #hacking #competition

Leave a Comment

Your email address will not be published.