Firefox Browser Hacked In 8 Seconds Using 2 Critical Security Flaws

0

With Windows 11, Microsoft Teams, Ubuntu Desktop, and the Tesla Model 3 all falling victim to hackers in one week, you might be forgiven for not noticing that Mozilla Firefox was also hacked. In just eight seconds using two critical security vulnerabilities.

Who hacked the Mozilla Firefox browser in just eight seconds?

The hacker in question was the supremely talented Manfred Paul who pulled off the lightning-fast double exploit using two critical vulnerabilities at the PWN2OWN Vancouver, 2022, event that came to an end on Friday, May 20.

Manfred Paul was the fourth on stage during the opening session of PWWN2OWN on Wednesday, May 18. His incredibly quick, double-headed, zero-day hack earned him a total of $100,000 in bounty money from the event organizers. Later the same day, he went on to win another $50,000 for a successful zero-day exploit on the Apple Safari browser.

MORE FROM FORBESiOS 15.5-Apple Issues iPhone Security Update For Millions Of Users

What were the two critical vulnerabilities used?

The full technical details concerning the successful hack were immediately disclosed to the Mozilla Foundation. In a security advisory dated May 20, the vulnerabilities, both rated as having a critical impact, were described as follows:

CVE-2022-1802

A “prototype pollution in Top-Level Await implementation,” could allow an attacker who corrupted an Array object in JavaScript to execute code in a privileged context.

CVE-2022-1529

An “untrusted input used in JavaScript object indexing, leading to prototype pollution,” which could allow an attacker to send “a message to the parent process where the contents were used to double-index into a JavaScript object.” This, in turn, led to the prototype pollution as described in the first exploit example.

What do Firefox browser users need to do now?

In most cases, the answer will be nothing. Which isn’t in any way downplaying the seriousness of these critical vulnerabilities or the zero-day exploit Manfred Paul was able to demonstrate at PWN2OWN.

Rather it ‘up plays’ the fact that the Mozilla Foundation reacted super-quickly to the disclosure and has already released an emergency update for Firefox that patches the flaws. Because Firefox will automatically update by default, and even do so in the background when you don’t have the browser open, it should have been applied and fixed for most people by now.

If you keep your browser running, without restarts or have disabled automatic updates for whatever reason, then you won’t be protected until such a time as the patch is downloaded, installed and the browser restarted. For desktop users, this means heading for the hamburger menu top right then Help|About Firefox.

The patched and updated version numbers you are looking for are:

  • Firefox v100.0.2 for desktop users
  • Firefox v100.3.0 for Android users
  • Firefox v91.9.1 for Enterprise ‘Extended Support Release’ users

A quick check of the iOS app situation shows that this has not been updated since before the PWN2OWN event and is currently at v100.1 (9384) at least on my iPhone 13 Pro. I have reached out to ask if an iOS update is still to come or whether the exploit does not apply on this platform and will update the article when I know more.

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

Read original article here

Denial of responsibility! Rapidtelecast.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
Leave a comment