Firefox Zero Day Mitigated
Tuesday, March 21, 2017 @ 10:03 AM gHale
In less than a day, Mozilla patched a Zero Day after learning about the issue at a hacking competition.
Mozilla’s Firefox version 52.0.1 released Friday contains the patch for the flaw discovered by hackers at the Pwn2Own competition.
Mozilla confirmed the fix via Twitter by Asa Dotzler, Mozilla participation director for Firefox OS, as well as Daniel Veditz, security team member at Mozilla.
The bug, discovered by the Chaitin Security Research Lab from China, was the result of hackers finding a way to escalate privileges in an exploit during the hacking competition. They combined the bug with an initialized buffer in the Windows kernel. The bug bounty for this vulnerability was for $30,000, which shows it was a fairly major hole.
In a security advisory published by Mozilla, the company labeled the integer overflow in the createImageBitmap() as “critical.”
They said the bug ended up mitigated in the newest version by disabling experimental extensions to the createImageBitmap API.
Mozilla said since the function works in the content sandbox, it would have required a second vulnerability to compromise a user’s computer. Chaitin used, in this instance, the Windows kernel.
Plenty of vulnerabilities ended up discovered during the hacking competition. Contestants ended up awarded $833,000 for the discovered vulnerabilities this year, almost doubled what they got last year. In 2016, the awards reached $460,000 and the previous year $577,000.
Leave a Reply
You must be logged in to post a comment.