Ten chief information security officers from a variety of verticals will provide valuable insights to Dark Reading on what they see as the industry’s most pressing issues. Read More
Related Posts
2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now
2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now
[[{“value”:”
Mozilla addresses two zero-day vulnerabilities that were recently exploited at the Pwn2Own Vancouver 2024 hacking contest in the Firefox web browser.
The Pwn2Own Vancouver 2024 hacking competition was held this week, and Trend Micro’s Zero Day Initiative (ZDI) revealed that participants received $1,132,500 for exhibiting 29 distinct zero-days.
The competition’s winner, researcher Manfred Paul (@_manfp), exploited two critical vulnerabilities, such as CVE-2024-29944 and CVE-2024-29943.
Document
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
Manfred Paul (@_manfp) accomplished his Mozilla Firefox sandbox escape by using an OOB Write (CVE-2024-29943) for the RCE and an exposed dangerous function bug (CVE-2024-29944).
He gains an additional $100,000 in addition to 10 Master of Pwn points, putting him ahead of the lead with 25 points.
Finally, Manfred Paul has been granted the title of Pwn Master. In all, he earned $202,500 and 25 points.
Details Of The Security Flaws Patched
CVE-2024-29943: Out-Of-Bounds Access via Range Analysis bypass
According to Mozilla, an attacker might deceive range-based bounds check elimination and execute an out-of-bounds read or write on a JavaScript object.
Firefox < 124.0.1 is vulnerable to this attack.
“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination”, Mozilla said in its advisory.
CVE-2024-29944: Privileged JavaScript Execution via Event Handlers
To enable arbitrary JavaScript execution in the parent process, an attacker was able to inject an event handler into a privileged object.
This vulnerability only affects desktop versions of Firefox; mobile versions are unaffected.
“An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process”, Mozilla said.
Patch Released
Mozilla published Firefox 124.0.1 and Firefox ESR 115.9.1 to address both security issues.
These flaws highlight how crucial it is to keep up strict security procedures and apply software updates as soon as they are made available.
By updating to Firefox 124.0.1, users can ensure they are safe from these critical vulnerabilities and any related risks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post 2 Firefox Zero-Days Exploited At Pwn2Own : Patch Now appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Susan Hinrichs: The cross between computer science and security. [chief scientist]
Susan Hinrichs: The cross between computer science and security. [chief scientist]
Susan Hinrichs, Chief Scientist at Aviatrix sits down to share her story, with over 30 years in experience spanning a variety of networking and security disciplines and has held leadership and academic roles, she sits down to discuss her amazing career. Earlier in her career, Susan served as System Architect at Cisco where she spent nine years designing and developing Centri Firewall and a variety of network security management tools. She worked as a Lecturer, Computer and Network Security for eight years at the University of Illinois at Urbana-Champaign (UIUC) where she developed a hands-on Security Lab introduction course for students in her first year, and later in her tenure, along with two colleagues, created a malware analysis course designed for senior students. With all of the amazing things she’s done in her career, she shares the advice to new comers into the field, saying “I think also as you’re trying to get that next job either as a student or as a professional trying to change direction a little bit, if you’re coming into interviews being able to talk about a project that you worked on, even if it’s not a project that really anyone uses, but if it’s something that’s interesting that you have in depth understanding of, uh, I think is super valuable to get you noticed.” We thank Susan for sharing her story with us. Read More
The CyberWire
Rite Aid says June data breach impacts 2.2 million people
Rite Aid says June data breach impacts 2.2 million people
Rite Aid, the third-largest drugstore chain in the United States, says that 2.2 million customers’ personal information was stolen last month in what it described as a “data security incident.” […] Read More