May 22, 2022, 17:43 pm
Written by Davey Winder
Published: May 22, 2022
With Windows 11, Microsoft Teams, Ubuntu Desktop, and the Tesla Model 3 all falling victim to hackers in one week, you might be forgiven for not noticing that Mozilla Firefox was also hacked. In just eight seconds using two critical security vulnerabilities.
Who hacked the Mozilla Firefox browser in just eight seconds?
The hacker in question was the supremely talented Manfred Paul who pulled off the lightning-fast double exploit using two critical vulnerabilities at the PWN2OWN Vancouver, 2022, event that came to an end on Friday, May 20.
Manfred Paul was the fourth on stage during the opening session of PWWN2OWN on Wednesday, May 18. His incredibly quick, double-headed, zero-day hack earned him a total of $100,000 in bounty money from the event organizers. Later the same day, he went on to win another $50,000 for a successful zero-day exploit on the Apple Safari browser.
What were the two critical vulnerabilities used?
The full technical details concerning the successful hack were immediately disclosed to the Mozilla Foundation. In a security advisory dated May 20, the vulnerabilities, both rated as having a critical impact, were described as follows:
CVE-2022-1802
A "prototype pollution in Top-Level Await implementation," could allow an attacker who corrupted an Array object in JavaScript to execute code in a privileged context.
CVE-2022-1529
An "untrusted input used in JavaScript object indexing, leading to prototype pollution," which could allow an attacker to send "a message to the parent process where the contents were used to double-index into a JavaScript object." This, in turn, led to the prototype pollution as described in the first exploit example.
What do Firefox browser users need to do now?
In most cases, the answer will be nothing. Which isn't in any way downplaying the seriousness of these critical vulnerabilities or the zero-day exploit Manfred Paul was able to demonstrate at PWN2OWN.
Rather it 'up plays' the fact that the Mozilla Foundation reacted super-quickly to the disclosure and has already released an emergency update for Firefox that patches the flaws. Because Firefox will automatically update by default, and even do so in the background when you don't have the browser open, it should have been applied and fixed for most people by now.
If you keep your browser running, without restarts or have disabled automatic updates for whatever reason, then you won't be protected until such a time as the patch is downloaded, installed and the browser restarted. For desktop users, this means heading for the top right menu, then Help|About Firefox.
The patched and updated version numbers you are looking for are:
* Firefox v100.0.2 for desktop users
* Firefox v100.3.0 for Android users
* Firefox v91.9.1 for Enterprise 'Extended Support Release' users
A quick check of the iOS app situation shows that this has not been updated since before the PWN2OWN event and is currently at v100.1 (9384) at least on my iPhone 13 Pro. I have reached out to ask if an iOS update is still to come or whether the exploit does not apply on this platform and will update the article when I know more.
https://www.forbes.com/sites/daveywinder...ity-flaws/
Published: May 22, 2022
With Windows 11, Microsoft Teams, Ubuntu Desktop, and the Tesla Model 3 all falling victim to hackers in one week, you might be forgiven for not noticing that Mozilla Firefox was also hacked. In just eight seconds using two critical security vulnerabilities.
Who hacked the Mozilla Firefox browser in just eight seconds?
The hacker in question was the supremely talented Manfred Paul who pulled off the lightning-fast double exploit using two critical vulnerabilities at the PWN2OWN Vancouver, 2022, event that came to an end on Friday, May 20.
Manfred Paul was the fourth on stage during the opening session of PWWN2OWN on Wednesday, May 18. His incredibly quick, double-headed, zero-day hack earned him a total of $100,000 in bounty money from the event organizers. Later the same day, he went on to win another $50,000 for a successful zero-day exploit on the Apple Safari browser.
What were the two critical vulnerabilities used?
The full technical details concerning the successful hack were immediately disclosed to the Mozilla Foundation. In a security advisory dated May 20, the vulnerabilities, both rated as having a critical impact, were described as follows:
CVE-2022-1802
A "prototype pollution in Top-Level Await implementation," could allow an attacker who corrupted an Array object in JavaScript to execute code in a privileged context.
CVE-2022-1529
An "untrusted input used in JavaScript object indexing, leading to prototype pollution," which could allow an attacker to send "a message to the parent process where the contents were used to double-index into a JavaScript object." This, in turn, led to the prototype pollution as described in the first exploit example.
What do Firefox browser users need to do now?
In most cases, the answer will be nothing. Which isn't in any way downplaying the seriousness of these critical vulnerabilities or the zero-day exploit Manfred Paul was able to demonstrate at PWN2OWN.
Rather it 'up plays' the fact that the Mozilla Foundation reacted super-quickly to the disclosure and has already released an emergency update for Firefox that patches the flaws. Because Firefox will automatically update by default, and even do so in the background when you don't have the browser open, it should have been applied and fixed for most people by now.
If you keep your browser running, without restarts or have disabled automatic updates for whatever reason, then you won't be protected until such a time as the patch is downloaded, installed and the browser restarted. For desktop users, this means heading for the top right menu, then Help|About Firefox.
The patched and updated version numbers you are looking for are:
* Firefox v100.0.2 for desktop users
* Firefox v100.3.0 for Android users
* Firefox v91.9.1 for Enterprise 'Extended Support Release' users
A quick check of the iOS app situation shows that this has not been updated since before the PWN2OWN event and is currently at v100.1 (9384) at least on my iPhone 13 Pro. I have reached out to ask if an iOS update is still to come or whether the exploit does not apply on this platform and will update the article when I know more.
https://www.forbes.com/sites/daveywinder...ity-flaws/