Mozilla has released Firefox 124.0.1 to address two critical security vulnerabilities that could allow attackers to execute arbitrary code on affected systems. Users are strongly advised to update their Firefox browsers immediately to protect against potential threats.
The first vulnerability, assigned CVE-2024-29943, is an out-of-bounds access issue that stems from a bypass of range analysis security checks. An attacker could exploit this flaw to perform unauthorized out-of-bounds read or write operations on JavaScript objects, potentially leading to code execution attacks.
As reported by security researcher Manfred Paul (@_manfp)through Trend Micro's Zero Day Initiative, the vulnerability arises due to a failure in range-based bounds check elimination, a technique used by compilers to optimize performance. By crafting specialized inputs that fool this optimization, malicious actors could circumvent critical security boundaries.
The second critical issue tracked as CVE-2024-29944, relates to the ability of attackers to inject malicious event handlers into privileged objects on the desktop version of Firefox. Successful exploitation could grant the attacker the ability to execute arbitrary JavaScript code within the browser's parent process, drastically elevating their capabilities.
This vulnerability, also reported by Manfred Paul, does not impact mobile versions of Firefox, limiting its potential attack surface. However, on vulnerable desktop systems, it represents a significant threat that necessitates prompt remediation.
By exploiting the above two flaws Manfred earned a $100,000 award and 10 Master of Pwn points. This was a very quick fix from the Mozilla team as both vulnerabilities were reported at the Pwn2Own hacking contest 2024 and it's just one day the content has ended.
However, after the Pwn2Own competition, vendors usually take their time to release patches as they have 90 days to push fixes until Trend Micro's Zero Day Initiative publicly discloses them.
Both vulnerabilities underscore the importance of maintaining robust security practices and promptly installing software updates as they become available. Mozilla fixed the security flaws in Firefox 124.0.1 and Firefox ESR 115.9.1 to block potential remote code execution attacks targeting unpatched web browsers on desktop devices.
By updating to Firefox 124.0.1, users can ensure they are protected against these critical vulnerabilities and any associated risks.