Mozilla fixes $100,000 Firefox zero-days following two-day hackathon Mozilla has swiftly patched a pair of critical Firefox zero-days after a researcher debuted them at a Vancouver cybersec competition. Manfred Paul demonstrated the bugs at Pwn2Own last week, the latest in the series of vulnerability and exploit events run by Trend Micro's Zero Day Initiative (ZDI). The event had security …
ESR 102 is deprecated and fully insecure at this point. ESR 115.9.1 (what I am using) is fully patched against this. And is also the oldest firefox version patched against this.
If you are on the ESR channel, you should UPGRADE once a year, either as soon as the new ESR lands, or ~ three months later, when the new ESR hits the automatic UPGRADE channel.
The next ESR (128) is expected to land on July 8 (I intend to install it then and there), and is expected to enter the automatic update system (and become the only ESR version) about Oct 1. It would behove you to UPGRADE if you value security.
Also, if you are on ESR, you should enable automatic security updates, as it will not mess with your stability, as the updates carry neither neither new features, nor inteface changes (i.e. no guff-storms), only security patches.
+1
Security Vulnerabilities fixed in Firefox ESR 115.9.1
https://www.mozilla.org/en-US/security/advisories/mfsa2024-16/
That's a great way to encourage finding bugs via a competition and cash prizes.
I don't know how they organise it, but everyone participating to the end should at the very least get their travel and hotel costs covered, to show appreciation that at least they tried to make a positive difference.
Sure just offer free flights and hotel for a city break to anyone who asks. No need for anything in return. It's not as if anyone would take the piss, either deliberately or script kiddies with an inflated sense of ego?
You don't think they magic up these bulbs on the spot do you? They've been working on them months and know roughly what they are worth, this is just the time to unfurl them and claim a payout.
That's what bothers me with these events. How many of these bounty hunters sit on critical vulns for months waiting for the right moment to disclose them and cash in the rewards? Bug hunters should have an incentive to find vulns and be rewarded for it immediately - and it's good to see many companies have such a policy in place - not just a couple days a year.
Meanwhile…over in the Microsoft corner, anyone with Exchange is still trying to figure out whether they're vulnerable to the most recent attacks: should we disable OWA and with it mobile access? And the smug kids over by the Apple Juice Cooler should wipe that smirk of their face: they usually only find out about zero-day vectors months after they've been reported.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
