Firefox browser hacked in 8 seconds using 2 critical security flaws


With Windows 11, Microsoft Teams, Ubuntu Desktop and Tesla Model 3 all falling victim to hackers within a week, I can be forgiven for not noticing that Mozilla Firefox was also hacked. In just 8 seconds using two critical security vulnerabilities.

Who hacked the Mozilla Firefox browser in just 8 seconds?

The hacker in question had the best talent. Manfred Paul Someone who performed a lightning fast double attack using Two Critical Vulnerabilities in PWN2OWN VancouverThe event ends on Friday, May 20, 2022.

Manfred Paul was the fourth to appear on stage for the opening session of PWWN2OWN on Wednesday, May 18th. His incredibly fast and interactive zero-day hack earned him a total bounty of $100,000 from event organizers. Later that same day, he earned an additional $50,000 from a successful zero-day exploit on the Apple Safari browser.

More from ForbesiOS 15.5 – Apple Issues iPhone Security Updates for Millions of Users

What are the two critical vulnerabilities used?

Full technical details of the successful hack were immediately released to the Mozilla Foundation. in Security Advisory As of May 20, both described vulnerabilities that were rated as Critical.

CVE-2022-1802

An attacker who compromised an Array object in JavaScript could run code in a privileged context due to “prototype contamination of the top-level wait implementation”.

CVE-2022-1529

“Prototype contamination with untrusted input used for indexing JavaScript objects.” This allows an attacker to send a “message to the parent process where the content was double-indexed into the JavaScript object”. This in turn led to prototype contamination, as described in the first exploit example.

What should Firefox browser users do now?

In most cases, the answer is nothing. This is in no way downplaying the severity of these critical vulnerabilities or the zero-day exploits that Manfred Paul was able to demonstrate at PWN2OWN.

Rather, it’s ‘interesting’ that the Mozilla Foundation has already released an emergency update to Firefox that responds very quickly to disclosures and fixes flaws. Firefox updates automatically by default, and updates in the background even if you don’t open your browser, so it should have worked and fixed for most people by now.

If you keep running without restarting your browser, or if you have disabled automatic updates for any reason, you will not be protected until the patch is downloaded and installed and your browser is restarted. For desktop users, this means going to the hamburger menu in the top right, then Help|About Firefox.

Here are the patches and updated version numbers you are looking for:

  • Firefox v100.0.2 for desktop users
  • Firefox v100.3.0 for Android users
  • Firefox v91.9.1 for Enterprise ‘Extended Support Release’ users

A quick check on the iOS app situation shows that this hasn’t been updated since before the PWN2OWN event and is currently at v100.1 (9384) at least on my iPhone 13 Pro. I’ve reached out to ask if an iOS update hasn’t been released yet or if the exploit doesn’t apply to this platform and will update the article as I learn more.

.

Leave a Comment