Mozilla has patched Firefox vulnerabilities exploited at Pwn2Own Vancouver 2024.

The Mozilla organization has successfully fixed two zero-day vulnerabilities in the Firefox web browser that were exploited at the Pwn2Own Vancouver 2024 hacking competition.

Researcher Manfred Paul (@_manfp), the winning researcher, exploited two vulnerabilities, designated CVE-2024-29944 and CVE-2024-29943.

On Day 2, Paul demonstrated the ability to bypass the Mozilla Firefox sandbox using the OOB Write method to execute remote code execution (RCE) and a bug in a dangerous function.

For this hack he received $100,000 and 10 Master of Pwn points.

Both issues are described below, according to the report: vulnerability CVE-2024-29944 only affects Firefox desktop and does not affect mobile versions of Firefox, while vulnerability CVE-2024-29943 allows an attacker to perform a read or write outside of a JavaScript object array.

Mozilla has released Firefox 124.0.1 and Firefox ESR 115.9.1 updates to fix both issues.

The Pwn2Own Vancouver 2024 competition took place this week, Trend Micro's Zero Day Initiative (ZDI) announced that participants earned $1,132,500 for demonstrating 29 unique zero-day vulnerabilities.

On the first day, the Synacktiv team successfully demonstrated exploits against a Tesla car.

Researcher Manfred Paul (@_manfp) was the winner of Master of Pwn, earning $202,500 and 25 points.