Firefox was also hacked during the Pwn2Own hacking competition. Mozilla reacted quickly and provided security updates to fix the vulnerabilities discovered, including for Firefox ESR and Thunderbird.
Mozilla released security updates for Firefox just before the weekend. In Firefox 100.0.2 and Firefox ESR 91.9.1, the Mozilla developers have fixed two vulnerabilities that had been demonstrated two days earlier at the Pwn2Own hacker competition. The gaps have also been closed in Firefox for Android 100.3 and in the new Thunderbird version 91.9.1.
Manfred Paul (
@_manfp
) from the RedRocket Club in Bonn earned $100,000 in prize money for his Firefox hack on the first Pwn2Own day on May 18 without being in Vancouver. He exploited two previously unknown vulnerabilities in the Mozilla browser to ultimately break out of the browser sandbox and execute Javascript code in a privileged process. The whole thing took less than ten seconds.
▶The latest security updates
Mozilla representatives on site in Vancouver received all the details about the vulnerabilities from the organizer, Trend Micro ZDI, immediately afterwards. On this basis, the Mozilla developers ironed out the errors in just under two days and provided updates to close the security gaps. Mozilla classifies the vulnerabilities CVE-2022-1802 and CVE-2022-1529 as critical. A corresponding update for the Tor browser based on Firefox ESR is still pending.
In just over a week, on May 31, Mozilla wants to release Firefox 101 and Firefox ESR 91.10.