back to article Mozilla fixes $100,000 Firefox zero-days following two-day hackathon

Mozilla has swiftly patched a pair of critical Firefox zero-days after a researcher debuted them at a Vancouver cybersec competition. Manfred Paul demonstrated the bugs at Pwn2Own last week, the latest in the series of vulnerability and exploit events run by Trend Micro's Zero Day Initiative (ZDI). The event had security …

  1. Ramis101

    Range of FF versions?

    Would it be too much to ask for a version range for exploits like this? 120 to 124 or suchlike.

    Having just checked i'm on 102.3esr, and don't wish to update for fear of the latest guff-storm that it will come with.... hence esr anyway.

    1. JessicaRabbit

      Re: Range of FF versions?

      According to https://nvd.nist.gov/vuln/detail/CVE-2024-29944 and https://nvd.nist.gov/vuln/detail/CVE-2024-29943 your version is vulnerable.

    2. Anthropornis

      Re: Range of FF versions?

      102 is several months out of support. 115esr was also affected, This month's 115.9.0esr got an emergency update to 115.9.1esr because of this.

    3. williamyf Bronze badge

      Re: Range of FF versions?

      ESR 102 is deprecated and fully insecure at this point. ESR 115.9.1 (what I am using) is fully patched against this. And is also the oldest firefox version patched against this.

      If you are on the ESR channel, you should UPGRADE once a year, either as soon as the new ESR lands, or ~ three months later, when the new ESR hits the automatic UPGRADE channel.

      The next ESR (128) is expected to land on July 8 (I intend to install it then and there), and is expected to enter the automatic update system (and become the only ESR version) about Oct 1. It would behove you to UPGRADE if you value security.

      Also, if you are on ESR, you should enable automatic security updates, as it will not mess with your stability, as the updates carry neither neither new features, nor inteface changes (i.e. no guff-storms), only security patches.

      1. Fruit and Nutcase Silver badge

        Re: Range of FF versions?

        +1

        Security Vulnerabilities fixed in Firefox ESR 115.9.1

        https://www.mozilla.org/en-US/security/advisories/mfsa2024-16/

  2. Jurassic.Hermit
    Go

    That's a great way to encourage finding bugs via a competition and cash prizes.

    I don't know how they organise it, but everyone participating to the end should at the very least get their travel and hotel costs covered, to show appreciation that at least they tried to make a positive difference.

    1. the spectacularly refined chap Silver badge

      Sure just offer free flights and hotel for a city break to anyone who asks. No need for anything in return. It's not as if anyone would take the piss, either deliberately or script kiddies with an inflated sense of ego?

      You don't think they magic up these bulbs on the spot do you? They've been working on them months and know roughly what they are worth, this is just the time to unfurl them and claim a payout.

      1. FrogsAndChips Silver badge

        That's what bothers me with these events. How many of these bounty hunters sit on critical vulns for months waiting for the right moment to disclose them and cash in the rewards? Bug hunters should have an incentive to find vulns and be rewarded for it immediately - and it's good to see many companies have such a policy in place - not just a couple days a year.

  3. Charlie Clark Silver badge

    Kudos to Mozilla for the quick fix

    Meanwhile…over in the Microsoft corner, anyone with Exchange is still trying to figure out whether they're vulnerable to the most recent attacks: should we disable OWA and with it mobile access? And the smug kids over by the Apple Juice Cooler should wipe that smirk of their face: they usually only find out about zero-day vectors months after they've been reported.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like