Mozilla Patches Pwn2Own Zero Days in Firefox 28

Mozilla released Firefox 28 yesterday, patching four zero-day vulnerabilities disclosed during last week’s Pwn2Own contest.

The Firefox web browser took a beating during last week’s Pwn2Own contest with researchers bringing four zero-day vulnerabilities and exploits to the table, walking away with a collective $200,000 in prize money in the process.

Yesterday, Mozilla capped all four bugs among 18 security advisories addressed in Firefox 28.

Firefox was by no means the only browser targeted during the annual contest; all four leading vendors failed to hold up against some of the best white hat hackers in the world. Two days ago, Google led the charge with the first set of patches addressing vulnerabilities disclosed during Pwn2Own. Google also paid out more than $150,000 to the winners of its Pwnium contest which went after bugs in Chromium and the Chrome OS.

George Hotz, known by his handle geohot and for his iPhone and PlayStation 3 jailbreaking, cashed in at both competitions. The 24-year-old claimed a $50,000 prize for a zero-day in Firefox that also affected Thunderbird and Seamonkey, Mozilla said.

Mozilla said in its advisory that Hotz discovered an issue where values are copied from an array into a second, neutered array. “This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution,” Mozilla said in its advisory.

Hotz’s big prize, however, came during the Pwnium event when he scored a $150,000 prize for a persistent code execution bug discovered in the Chrome OS. Pwn2Own and Pwnium veteran hacker Pinkie Pie also found a sandbox code execution and kernel out of bounds vulnerabilities; Google has yet to announce his prize.

Three other Pwn2Own bugs were patched by Mozilla in Firefox 28.

Researcher Juri Aedla, a frequent Google bug-hunter, found a zero-day code execution bug in the browser. Mozilla said in its advisory that:  “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution.”

Researchers from French exploit vendor VUPEN were the big winners during Pwn2Own and Pwnium, cashing in six times, including a Firefox zero day. Team VUPEN found a memory corruption issue leading to an exploitable use-after-free condition. Founder Chaouki Bekrar told Threatpost that the discovery of the zero-day required running more than 60 million test cases through a fuzzer.

Polish researcher Mariusz Mlynski was the fourth Pwn2Own contestant to topple Firefox. He combined two vulnerabilities to gain privilege escalation.

“Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution,” Mozilla said in its advisory.

Firefox 28 addressed one more critical vulnerability, actually a set of memory safety hazards, Mozilla said.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in its advisory.

Suggested articles