Mozilla Patches Pwn2Own Zero Day in Firefox

Mozilla patched a zero day uncovered at Pwn2Own in Firefox in 22 hours on Friday.

Mozilla was quick to patch a zero day vulnerability identified in the Firefox browser at the Pwn2Own hacking competition last week. The company remedied the issue just shy of 24 hours of being made aware of the flaw, pushing out the updated version 52.0.1 of the browser late Friday.

Asa Dotzler, Mozilla’s participation director for Firefox OS, and Daniel Veditz, a member of Mozilla’s security team, confirmed the fix via Twitter.

The vulnerability, an integer overflow in the createImageBitmap() method, was disclosed to Mozilla on Thursday in Vancouver via Trend Micro’s Zero Day Initiative. Hackers with China-based Chaitin Security Research Lab discovered the bug and used it to escalate privileges in an exploit at the hacking competition. The group escalated privileges by combining the bug with an initialized buffer in the Windows kernel. The exploit earned them $30,000.

According to a Mozilla advisory from Friday, the bug – marked critical – was fixed in both Firefox 52.0.1 and Firefox ESR 52.0.1 by disabling experimental extensions to the createImageBitmap API.

Mozilla claims that since the function runs in the content sandbox, it would have required a second vulnerability, like the initialized buffer in the Windows kernel Chaitin used, to compromise a user’s computer. If exploited, a remote user would be able to cause arbitrary code to be executed on a targeted system.

Pwn2Own 2017 wrapped up Friday afternoon with several high figure payouts.

Richard Zhu, a/k/a fluorescence, managed to exploit Microsoft’s Edge browser with a SYSTEM-level escalation after he chained two use-after-free bugs in the browser together. He used a buffer overflow, to escalate with SYSTEM, something which fetched him $55,000.

Tencent Security’s Team Sniper managed to pull off the competition’s second virtual machine escape as well. It required three different bugs but the group, a mix of researchers from Keen Lab and PC Manager, took down VMWare Workstation. The hackers used a Windows kernel use-after-free vulnerability, a Workstation info leak, and an uninitialized buffer in Workstation, to go from guest-to-host.

Hackers with 360 Security had executed the competition’s first VM escape in 90 seconds via an Edge vulnerability earlier Friday. Both teams earned $100,000 for their VM exploits.

Last week saw hackers poke a series of holes in software like Apple’s Safari and macOS, Microsoft’s Windows and Edge, and Adobe’s Flash and Reader platforms.

It’s unclear if any vendors aside from Mozilla are planning to release emergency patches in wake of Pwn2Own however. Companies like Microsoft and Apple usually wait to incorporate fixes for vulnerabilities found during the competition into their next scheduled round of updates.

In total, contestants were awarded $833,000 for vulnerabilities found this year, surpassing the amount given out last year, $460,000, and the year prior, $557,000.

Suggested articles