Mozilla has released security updates for multiple products to address zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2022 hacking contest.
If exploited, the two critical flaws can let attackers gain JavaScript code execution on mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.
The zero-days have been fixed in Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1.
Manfred Paul (@_manfp) earned $100,000 and 10 Master of Pwn points after demoing prototype pollution and improper input validation bugs on the first day of Pwn2Own.
The first vulnerability is a prototype pollution in Top-Level Await implementation (tracked as CVE-2022-1802) that can let an attacker corrupt the methods of an Array object in JavaScript using prototype pollution to achieve JavaScript code execution in a privileged context.
The second one (CVE-2022-1529) allows attackers to abuse Java object indexing improper input validation in prototype pollution injection attacks.
"An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process," Mozilla explained.
Well that was fast:
Support the originator by clicking the read the rest link below.
