Firefox ESR and SeaMonkey received the patch, too

Mar 23, 2015 17:13 GMT  ·  By

The security defenses in Mozilla’s web browser were defeated twice at this year’s Pwn2Own, but the developer was quick to remedy the issues by launching two intermediary releases since the completion of the hacking competition last week.

The latest build for Firefox is currently 36.0.4 and was pushed to the users in order to address a flaw that allowed privilege escalation within the browser by using a vulnerability that occurred when processing SVG content.

Initial patch was incomplete

This was achieved by security researcher Mariusz Mlynski, who received $55,000 / €50,350 for the demonstration. It is worth noting that the exploitation took less than one second to complete.

The bug exploit chain used by Mlynski allowed him to run arbitrary code in a privileged context by getting past the same-origin policies, which prevent the browser from running scripts on a web page if they do not share the same source.

In the security advisory from Mozilla it is said that the critical vulnerability, which is now identified as CVE-2015-0818, had received a fix in the previous build for Firefox (36.0.3 and in ESR - Extended Support Release, 31.5.2), but it appears that the patch was not complete.

No zero-days left unaddressed

Another vulnerability was exploited at Pwn2Own 2015 by security researcher ilxu1a, who managed to take advantage of “a flaw in Mozilla's implementation of typed array bounds checking in JavaScript just-in-time compilation (JIT) and its management of bounds checking for heap access,” Mozilla said.

This allowed ilxu1a the possibility to read and write in the memory and execute arbitrary code on the local system, taking control over it. The deed earned him a reward of $15,000 / €14,000.

The security flaw is tracked as CVE-2015-0817 and it has been fixed since Firefox 36.0.3, Firefox ESR 31.5.2 and SeaMonkey 2.33.1.

At the moment, Mozilla has closed all the zero-day bugs successfully demonstrated by researchers at Pwn2Own hacking contest held at ConSecWest security conference in Vancouver last week.