Some vendors respond to security issues faster than others. Last week, the 10th annual Pwn2own hacking challenge was hosted by Trend Micro’s Zero Day Initiative (ZDI), with multiple groups of researchers taking aim at web browsers, operating systems and virtualization technology.
Mozilla’s Firefox web browser was successfully exploited on March 16, the second day of the Pwn2own event. Researchers from Chaitin Security Research Lab were the only group to attack Mozilla Firefox, and earned $30,000 for demonstrating a new zero-day exploit. The day the exploit was demonstrated, the only thing publicly revealed about the exploit is that it made use of an integer overflow flaw in combination with an uninitialized memory buffer in the Windows kernel.
While every organization impacted by Pwn2own exploits has yet to respond with a patch, Mozilla moved quickly to fix the issue. Mozilla Foundation Security Advisory (MFSA) 2017-08 was released on March 17, along with the new Firefox 52.0.1 update fixing the issue demonstrated by Chaitin Security Research Lab at Pwn2own 2017.
The official vulnerability identifier for the flaw is CVE-2017-5248 and is titled, integer overflow in createImageBitmap().
“An integer overflow in createImageBitmap() was reported through the Pwn2Own contest,” Mozilla warns in its advisory. “The fix for this vulnerability disables the experimental extensions to the createImageBitmap API.”
Mozilla also explained why the uninitialized memory buffer overflow vulnerability in the Microsoft Windows kernel was also needed in order to successfully exploit Firefox. Mozilla explained that the createImageBitmap function runs in the content sandbox, requiring a second vulnerability to compromise a user’s computer.
The Mozilla Firefox web browser’s appearance on the Pwn2own 2017 target list came after the open-source web browser was dropped from the target list in 2016.
The quick patching of Firefox after flaws were reported at Pwn2own 2017 is in line with past responses from Mozilla. After Mozilla Firefox was exploited at the Pwn2own 2015 event, Mozilla was also the firstto issue a patch.
Mozilla also was the first to patch after the Pwn2own 2014 event as well.
Overall across the three day Pwn2own 2017 event, 51 different security bugs were reported to ZDI across Microsoft Windows, Microsoft Edge, Adobe Reader, Apple Safari, Apple macOS, Ubuntu Linux, Mozilla Firefox and VMware Workstation applications.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.