Just a brief note to let you know that we were wrong about Firefox and Pwn2Own in our recent podcast …
… But we were right about how Mozilla would react to our recent podcast. Promotional videos:
Latest Podcast: Listen Now! Firefox & Pwn2Own, Apple and a 0-day… and math that defeated Pythagoras.https://t.co/HDrZPQzlAQ pic.twitter.com/DxgdC8VM1j
– Naked Security (Naked Security) May 20, 2022
In the video, we say (our own emphasis below):
In the podcast, we guessed, “It was [recent Firefox fix] Pwn2Own was pushed just in time, hoping it would stop the attack from working? “For whatever reason, it didn’t work. […] But we know that Mozilla Pwn2Own will rush to fix it as soon as it gets the details of the competition.
To explain.
In an article last weekend, after our Linux distro received a seemingly soon-out-of-band Firefox patch but the update hasn’t yet appeared on the Firefox website, we think to ourselves, “Is there any kind of cyber security scramble here? “
A sandbox security feature known as this update has been added Win32k Lockdown Which was in the making for a few months, if not years, but just missed the scheduled release 100.0.
Accordingly, we speculate that Firefox 100.0.1, a mere point-release where a brand new Windows security feature was abruptly activated, was particularly opposed during this year’s Pwn2Own hacking contest in Vancouver, Canada.
Why not wait?
We were surprised that Mozilla only waited until the next scheduled release, 101.0, to launch the new feature and announce it as a feature, not as a “security fix” because it wasn’t there for a shutdown. A clear and precise attack that was already known.
Typically, point releases come out to deal with urgent issues that can’t really wait, such as new features that flop, or zero-day bugs that suddenly appear in the wild and have to be tackled around before the next four-week big update period. Roll
But with Pwn2Own happening this week and with Firefox on the firing line of experienced and successful bug hunter Manfred Paul, perhaps Mozilla thought it was worth it to get 100.0.1 out in time for the competition?
What if the new Sandbox feature could throw an unexpected spanner into Paul’s otherwise-sure-to-be-successful hacking session and save the day?
On Wednesday, Paul’s session began at 30’00 “on the clock, counted downwards (a strict upper limit of 30 minutes is imposed for each entrant).
After a brief pause, the judge arrived and visited a URL and clicked a button to start the hacking attempt, which was ready to reveal Paul’s double-exploitation from a distance. (The server was remote in terms of network; physically it was on the same table as the client under attack.)
To put it bluntly, Paul planned to enter Firefox, earning $ 50,000 in Bug Bounty. Remote code executionAnd then come back from it, earning another $ 50,000 for one Complete sandbox escape.
About seven seconds later, with a fist pump of recognition from the judge (Pwn2Own is exciting for everyone, not just for hackers), and with an incredibly happy smile from Manfred Paul, now $ 100,000 well, the clock stopped, just flipped 29’52 ” For.
If Win32k Lockdown The Pwn2Own attack was supposed to stop, but it did not, although we do not doubt that the new sandbox protection will make future exploits more difficult to find and less reliable in use.
In order to claim a Pwn2Own reward, the agreement is that the manufacturer of the system you cracked “must show your work” in full explanatory detail, and give them the first dip to fix it.
Of course, all correct bug bounties work this way, but Pwn2Own is not just about identifying potential bugs and calling them through a crash log, it’s about researching and writing about bugs and their dangers carefully and with repeatable details. Including the exploitation of a job.
Good luck to everyone involved
Well, that amazing seven-second pavanese happened on Wednesday 2022-05-18.
And on Friday 2022-05-20, about an hour before midnight UK time, Firefox popped up telling us, “An update available in 100.0.2”
Here are the corresponding security notes from Mozilla Security Advisor 2022-19:
* CVE-2022-1802: Prototype pollution in Top-Level Await implementation. Reporter: Manfred Paul via Trend Micro's Zero Day Initiative Impact: Critical Description: If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. * CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution. Reporter: Manfred Paul via Trend Micro's Zero Day Initiative Impact: Critical Description: An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.
What do you do?
We’ve already patched – how are you?
For the fourth time last week, we’re going to say: Quick patches, often patches.
With a response time like this, it wouldn’t be rude!
Oh, and a very big one “Well done and thank you” This bug is available to everyone at every stage of the search and correction process.