Firefox Zero Day Mitigated

Tuesday, March 21, 2017 @ 10:03 AM gHale


In less than a day, Mozilla patched a Zero Day after learning about the issue at a hacking competition.

Mozilla’s Firefox version 52.0.1 released Friday contains the patch for the flaw discovered by hackers at the Pwn2Own competition.

RELATED STORIES
Google Release Chrome 57
Tor Browser 6.5 Update Releases
Chrome MacOS Users get Malware Protection
Google Updates to Chrome 56 for Android

Mozilla confirmed the fix via Twitter by Asa Dotzler, Mozilla participation director for Firefox OS, as well as Daniel Veditz, security team member at Mozilla.

The bug, discovered by the Chaitin Security Research Lab from China, was the result of hackers finding a way to escalate privileges in an exploit during the hacking competition. They combined the bug with an initialized buffer in the Windows kernel. The bug bounty for this vulnerability was for $30,000, which shows it was a fairly major hole.

In a security advisory published by Mozilla, the company labeled the integer overflow in the createImageBitmap() as “critical.”

They said the bug ended up mitigated in the newest version by disabling experimental extensions to the createImageBitmap API.

Mozilla said since the function works in the content sandbox, it would have required a second vulnerability to compromise a user’s computer. Chaitin used, in this instance, the Windows kernel.

Plenty of vulnerabilities ended up discovered during the hacking competition. Contestants ended up awarded $833,000 for the discovered vulnerabilities this year, almost doubled what they got last year. In 2016, the awards reached $460,000 and the previous year $577,000.



Leave a Reply

You must be logged in to post a comment.