Header Logo
Firefox Browser Hacked In 8 Seconds Using 2 Critical Security Flaws

Firefox Browser Hacked In 8 Seconds Using 2 Critical Security Flaws

With Windows 11, Microsoft Teams, Ubuntu Desktop, and the Tesla Model 3 all falling victim to Firefox Browser hackers in one week, you might be forgiven for not noticing that Mozilla Firefox was also hacked. In just eight seconds using two critical security vulnerabilities.

Who hacked the Mozilla Firefox browser in just eight seconds?

The hacker in question was the supremely talented Manfred Paul who pulled off the lightning-fast double exploit using two critical vulnerabilities at the PWN2OWN Vancouver, 2022, event that came to an end on Friday, May 20.

Manfred Paul was the fourth on stage during the opening session of PWWN2OWN on Wednesday, May 18. His incredibly quick, double-headed, zero-day hack earned him a total of $100,000 in bounty money from the event organizers. Later the same day, he went on to win another $50,000 for a successful zero-day exploit on the Apple Safari browser.

MORE FROM FORBESiOS 15.5-Apple Issues iPhone Security Update For Millions Of Users

What were the two critical vulnerabilities used?

The full technical details concerning the successful hack were immediately disclosed to the Mozilla Foundation. In a security advisory dated May 20, the vulnerabilities, both rated as having a critical impact, were described as follows:

CVE-2022-1802

A “prototype pollution in Top-Level Await implementation,” could allow an attacker who corrupted an Array object in JavaScript to execute code in a privileged context.

CVE-2022-1529

An “untrusted input used in JavaScript object indexing, leading to prototype pollution,” which could allow an attacker to send “a message to the parent process where the contents were used to double-index into a JavaScript object.” This, in turn, led to the prototype pollution as described in the first exploit example.

What do Firefox browser users need to do now?

In most cases, the answer will be nothing. Which isn’t in any way downplaying the seriousness of these critical vulnerabilities or the zero-day exploit Manfred Paul was able to demonstrate at PWN2OWN.

Rather it ‘up plays’ the fact that the Mozilla Foundation reacted super-quickly to the disclosure and has already released an emergency update for Firefox Browser that patches the flaws. Because Firefox Browser will automatically update by default, and even do so in the background when you don’t have the browser open, it should have been applied and fixed for most people by now.

If you keep your browser running, without restarts or have disabled automatic updates for whatever reason, then you won’t be protected until such a time as the patch is downloaded, installed and the browser restarted. For desktop users, this means heading for the hamburger menu top right then Help|About Firefox Browser.

The patched and updated version numbers you are looking for are:

  • Firefox v100.0.2 for desktop users
  • Firefox v100.3.0 for Android users
  • Firefox v91.9.1 for Enterprise ‘Extended Support Release’ users

A quick check of the iOS app situation shows that this has not been updated since before the PWN2OWN event and is currently at v100.1 (9384) at least on my iPhone 13 Pro. I have reached out to ask if an iOS update is still to come or whether the exploit does not apply on this platform and will update the article when I know more.

Source link

Share Now

Subscribe our Newsletter

Leave a Reply

Your email address will not be published.

Recent Post that you Love to read

Post a Story

post a guest post, in our portal, if you wish. then we review the post. of fill up our recruitment then we'll be published in 3 to 4 working days