• September 28, 2022

Authenticity

In late June 2022, Sanas, a Silicon Valley startup, raised $32 million in Series A funding. Sanas is a real-time accent translation technology. For years, call centers in India or the …

New Microsoft Documents Reveal Surprising Surface Plans

Next month’s Microsoft event is widely expected to launch a number of new Surface devices, including an update to the flagship range with the Surface Pro 9 and the next version …

Review: Hands On With Creative’s Battery Champ, Outlier Pro Wireless Earbuds

Creative Technology is a company that’s well known for computer audio (Sound Blaster sound cards) and speakers. I’ve had some excellent experiences with Creative Katana gaming soundbars and iRoar Bluetooth speakers …

With Windows 11, Microsoft Teams, Ubuntu Desktop, and the Tesla Model 3 all falling victim to hackers in one week, you might be forgiven for not noticing that Mozilla Firefox was also hacked. In just eight seconds using two critical security vulnerabilities.

Who hacked the Mozilla Firefox browser in just eight seconds?

The hacker in question was the supremely talented Manfred Paul who pulled off the lightning-fast double exploit using two critical vulnerabilities at the PWN2OWN Vancouver, 2022, event that came to an end on Friday, May 20.

Manfred Paul was the fourth on stage during the opening session of PWWN2OWN on Wednesday, May 18. His incredibly quick, double-headed, zero-day hack earned him a total of $100,000 in bounty money from the event organizers. Later the same day, he went on to win another $50,000 for a successful zero-day exploit on the Apple Safari browser.

What were the two critical vulnerabilities used?

The full technical details concerning the successful hack were immediately disclosed to the Mozilla Foundation. In a security advisory dated May 20, the vulnerabilities, both rated as having a critical impact, were described as follows:

Advertisement

CVE-2022-1802

A “prototype pollution in Top-Level Await implementation,” could allow an attacker who corrupted an Array object in JavaScript to execute code in a privileged context.

CVE-2022-1529

An “untrusted input used in JavaScript object indexing, leading to prototype pollution,” which could allow an attacker to send “a message to the parent process where the contents were used to double-index into a JavaScript object.” This, in turn, led to the prototype pollution as described in the first exploit example.

What do Firefox browser users need to do now?

In most cases, the answer will be nothing. Which isn’t in any way downplaying the seriousness of these critical vulnerabilities or the zero-day exploit Manfred Paul was able to demonstrate at PWN2OWN.

Rather it ‘up plays’ the fact that the Mozilla Foundation reacted super-quickly to the disclosure and has already released an emergency update for Firefox that patches the flaws. Because Firefox will automatically update by default, and even do so in the background when you don’t have the browser open, it should have been applied and fixed for most people by now.

If you keep your browser running, without restarts or have disabled automatic updates for whatever reason, then you won’t be protected until such a time as the patch is downloaded, installed and the browser restarted. For desktop users, this means heading for the hamburger menu top right then Help|About Firefox.

The patched and updated version numbers you are looking for are:

  • Firefox v100.0.2 for desktop users
  • Firefox v100.3.0 for Android users
  • Firefox v91.9.1 for Enterprise ‘Extended Support Release’ users

A quick check of the iOS app situation shows that this has not been updated since before the PWN2OWN event and is currently at v100.1 (9384) at least on my iPhone 13 Pro. I have reached out to ask if an iOS update is still to come or whether the exploit does not apply on this platform and will update the article when I know more.

Advertisement

Leave a Reply

Your email address will not be published.