Google and Mozilla have recently released updates to address several vulnerabilities found in their Chrome and Firefox browsers, some of which were revealed during the “Pwn2Own” hacking competition held in Vancouver, Canada last week.
The Chrome vulnerabilities include CVE-2024-2887, a high-severity type confusion weakness in the WebAssembly (Wasm) open standard that was discovered and demonstrated by a cybersecurity researcher during the Pwn2Own competition.
The second zero-day vulnerability, designated CVE-2024-2886, was also discovered and exploited during the competition. The vulnerability is a user-after-free (UAF) weakness in the WebCodecs API that could allow remote attackers to arbitrarily conduct read and write functions via specially crafted HTML pages.
Both vulnerabilities were addressed in Google’s latest versions of Chrome for PC, Mac, and Linux.
The vulnerabilities that Mozilla addressed in its Firefox browser include CVE-2024-29943, an out-of-bounds write flaw that could allow remote code execution, and CVE-2024-29944, a dangerous function weakness that could allow threat actors to escape Firefox’s built-in sandbox.
Mozilla released new versions of Firefox to address the vulnerabilities just one day after they were demonstrated at Pwn2Own.
Source: Bleeping Computer
Analysis
Pwn2Own is an annual hacking competition in which ethical hackers compete to reveal and exploit previously unknown vulnerabilities in popular software in exchange for cash and other prizes. According to the competition's rules, vendors have 90 days to address any vulnerabilities discovered during the competition before they are publicly released.
In this case, Google and Mozilla quickly addressed the discovered vulnerabilities, leaving almost no time for threat actors to develop their own exploits based on what was revealed during the competition.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances, and operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities.
Covalence users were automatically notified if vulnerable versions of Chrome and Firefox were detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages all other users of Chrome and Firefox to update to the latest secure version as soon as possible.
Related articles