Only a brief word to let you already know that we had been incorrect about Firefox and Pwn2Own in our newest podcast…
…however we had been proper about how Mozilla would react in our newest podcast promotional video:
Newest podcast 🎧 Hear now! Firefox & Pwn2Own, Apple and an 0-day… and the arithmetic that defeated Pythagoras.https://t.co/HDrZPQzlAQ pic.twitter.com/DxgdC8VM1j
— Bare Safety (@NakedSecurity) May 20, 2022
Within the video, we stated (our personal emphasis beneath):
Within the podcast, we speculated, “Was this [recent Firefox fix] pushed out simply in time for Pwn2Own, within the hope that it could stop the assault working?” If that was the rationale, it didn’t work. […] However we do know that Mozilla will likely be speeding to repair this one as quickly as they get the small print out of the Pwn2Own competitors.
To elucidate.
In an article final weekend, after our Linux distro had obtained an apparently-hurried out-of-band Firefox patch however the replace nonetheless hadn’t proven on on Firefox’s web site, we discovered ourselves questioning, “Is there some form of cybersecurity scramble on right here?”
This replace added a sandbox safety function often called Win32k Lockdown that had been months, if not years, within the making, however had simply missed schedlued launch 100.0.
Accordingly, we speculated that Firefox 100.0.1, a mere point-release during which a model new Home windows safety function had abruptly been activated, was wrangled out specifically, simply in time for this yr’s Pwn2Own hacking competitors in Vancouver, Canada.
Why not wait?
We had been shocked that Mozilla didn’t merely wait till the subsequent scheduled launch, 101.0, to show the brand new function on and announce it as a function, fairly than as a “safety repair”, givem that it wasn’t there to cease a transparent and particular assault that was already identified.
Normally, level releases come out to cope with pressing points that genuinely can’t wait, corresponding to new options that flop, or zero-day bugs that abruptly present up within the wild and want coping with earlier than the subsequent four-weekly main replace deadline rolls round.
However with Pwn2Own happening this very week, and with Firefox within the firing line from skilled and profitable bug hunter Manfred Paul, perhaps Mozilla figured that it was price squeezing out 100.0.1 in time for the competition?
Simply in case the brand new sandbox function would possibly throw an surprising spanner into Paul’s otherwise-certain-to-succeed hacking session, and save the day?
On Wednesday, Paul’s session began with 30’00” on the clock, counting downwards (a tough higher sure of half-hour is imposed for every entrant).
After a short pause, the adjudicator reached out and clicked a button to provoke the hacking try by visting a URL that was able to unleash Paul’s double-exploit remotely. (The server was distant in community phrases; bodily it was on the identical desk because the shopper beneath assault.)
Loosely talking, Paul deliberate to interrupt into Firefox, incomes $50,000 in bug bounty for distant code execution, after which to interrupt again out of it, incomes one other $50,000 for a full sandbox escape.
About seven elapsed seconds later, with a fist pump of acknowledgment from the adjudicator (Pwn2Own is thrilling for everybody, not simply the hackers), and with an unsurprisingly pleased smile from Manfred Paul, now $100,000 higher off, the clock stopped, having simply flipped over to point out 29’52”.
If Win32k Lockdown was imagined to cease the Pwn2Own assault, it didn’t, though we don’t doubt that the brand new sandbox safety will make loads of future exploits more durable to search out and fewer dependable to make use of.
To assert a Pwn2Own prize, the deal is that you need to “present your working”, in full explanatory element, to the maker of the system you simply cracked, and provides them first dibs at fixing it.
All correct bug bounties work this manner, after all, however Pwn2Own isn’t nearly recognizing doable bugs and calling them in with a crash log, it’s about researching and writing up the bug and its risks with cautious and repeatable particulars, as much as and together with a working exploit.
Properly achieved to everybody concerned
Properly, that seven-second spectacular pwnage occurred on Wednesday 2022-05-18.
And on Friday 2022-05-20, about an hour earlier than midnight UK time, Firefox popped as much as inform us, “An replace is accessible to 100.0.2”.
Listed here are the related safety notes, from Mozilla Safety Advisory 2022-19:
* CVE-2022-1802: Prototype air pollution in Prime-Stage Await implementation.
Reporter: Manfred Paul through Development Micro's Zero Day Initiative
Impression: Vital
Description: If an attacker was in a position to corrupt the strategies
of an Array object in JavaScript through prototype air pollution,
they may have achieved execution of attacker-controlled
JavaScript code in a privileged context.
* CVE-2022-1529: Untrusted enter utilized in JavaScript object
indexing, resulting in prototype air pollution.
Reporter: Manfred Paul through Development Micro's Zero Day Initiative
Impression: Vital
Description: An attacker might have despatched a message to the
father or mother course of the place the contents had been used to double-index
right into a JavaScript object, resulting in prototype air pollution and
in the end attacker-controlled JavaScript executing within the
privileged father or mother course of.
What to do?
We’ve patched already – how about you?
For the fourth time prior to now week, we’re going to say: Patch early, patch typically.
With a response time like this, it could be impolite to not!
Oh, and a vey massive “effectively achieved and thanks” to everybody at each stage of this bug finding-and-fixing course of.
