Mozilla recently issued a patch for Firefox and Thunderbird in response to a Zero-Day Vulnerability discovered during the Pwn2Own Vancouver 2022 Hacking Contest.
Mozilla's Breach in the Hacking Contest
Mozilla hurriedly released patches to the Zero-Day Vulnerabilities detected through an annual white-hat hacking contest, CVE-2022-1802 and CVE-2022-1529.
According to Bleeping Computer, if the two critical vulnerabilities are used against mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird, attackers could run JavaScript code and take control of the affected device.
The vulnerability tracked as CVE-2022-1802 is the first one detected from a prototype pollution in the Top-Level Await implementation.
In the event that a malicious actor was successful in corrupting the methods of an Array object in JavaScript through the use of prototype pollution, the malicious actor would have been able to achieve the execution of JavaScript code that was controlled by the adversary in a privileged context.
The second Zero-Day Vulnerability detected is tracked as CVE-2022-1529. This vulnerability gives attackers the ability to misuse Java object indexing with improper input validation in order to launch prototype pollution injection attacks.
As described by Mozilla, "An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process."
Two days after they were discovered, exploited, and disclosed at the Pwn2Own hacking competition by Manfred Paul, Mozilla released a fix to address these vulnerabilities.
However, while vendors have ninety days to roll out security solutions after Pwn2Own, they typically do not rush to deliver patches after the competition because Trend Micro's Zero Day Initiative will not publicly publish them until well beyond that time.
The company has taken the severity of detected vulnerabilities seriously, which prompted an immediate response to avoid further exploitation from bad actors.
Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1 have all been updated to correct the zero-day vulnerabilities.
The Pwn2Own Vancouver 2022 Hacking Contest
Mozilla's vulnerabilities, including those of Windows 11, Microsoft's, and Tesla, have all been detected in an annual hacking event in Canada.
Pwn2Own is a white-hat hacking competition that started in 2007. The Pwn2Own Vancouver 2022 is the 15th edition of the contest. The objective of this competition is for contestants to find and exploit previously unknown vulnerabilities in commonly used software and mobile devices.
The Pwn2Own Vancouver 2022 Hacking Contest is being coordinated by Trend Micro's Zero Day Initiative (ZDI). This year, there are a total of 17 competitors who are striving to accomplish 21 goals across a variety of categories.
According to ZDI, the company rewards were given out for 25 different zero-day vulnerabilities that were exploited to target the Tesla Model 3, Windows 11, Ubuntu, Microsoft Teams, Safari, Firefox, and Oracle VirtualBox. These vulnerabilities were exploited to gain access to sensitive information.
On the first day of the event, it was said that the organizers gave a total of $800,000 to several white-hat hackers.
Aside from detecting vulnerabilities in Mozilla, Pwn2Own hacking participants also detected vulnerabilities to breach into Microsoft Teams that earned the winners $450,000 in prizes.
As reported by Bleeping Computer a few days ago, Hector Peralta discovered and exploited a hole in Microsoft Teams' poor configuration, which ultimately led to the company's fall in the workplace communications sector. Masato Kinugawa was able to hack Microsoft Teams for the third time by taking advantage of a chain of three bugs: injection, misconfiguration, and sandbox escape.
Pwn2Own 2022 Vancouver ended on May 20. Over the course of three days and 21 attempts, 17 competitors showed off zero-day exploits and chains of exploits that earned them a total of $1,155,000.