14 DAY TRIAL // When you have a lot of manpower, patching security vulnerabilities happens quickly. In fact, it took Mozilla only 22 hours to patch a zero-day vulnerability identified within Firefox at the Pwn2Own hacking competition that took place last week.
The new Firefox version 52.0.1, which was released late on Friday, contains the patch for the flaw discovered by hackers in the competition. The fix was confirmed via Twitter by Asa Dotzler, Mozilla participation director for Firefox OS, as well as Daniel Veditz, security team member at Mozilla.
The bug was discovered by the Chaitin Security Research Lab from China. The hackers managed to escalate privileges in an exploit during the hacking competition by combining the bug with an initialized buffer in the Windows kernel. The bug bounty for this particular vulnerability was of $30,000, indicating that it was a serious matter.
In a security advisory published by Mozilla, the company marks the integer overflow in the createImageBitmap() as "critical." They say that the bug was fixed in the newest version by disabling experimental extensions to the createImageBitmap API.
Mozilla also claims that since the function works in the content sandbox, it would have required a second vulnerability to compromise a user's computer. Chaitin used, in this instance, the Windows kernel.
Largest awards so far
Many vulnerabilities were discovered during the hacking competition. So far, few have been fixed, and definitely not many as fast as the one Mozilla patched up in Firefox. Microsoft and Apple are two of the companies people are waiting to hear from in this regard.
In total, contestants were awarded $833,000 for the discovered vulnerabilities this year, nearly double than what was awarded last year. In 2016, the awards reached $460,000 and the previous year $577,000. In the end, it all depends on how good a day the hackers have to find something critical to exploit.