Mozilla Firefox releases patch to fix critical flaw, patch ASAP

Mozilla has released Firefox 124.0.1 and Firefox ESR 115.9.1 to address two critical security vulnerabilities. These vulnerabilities potentially allow attackers to run arbitrary code on systems with the outdated versions of the browser.

• CVE-2024-29944 (CVSS score 9.1) centers on the manipulation of privileged objects within the desktop variant of Firefox, enabling attackers to insert malicious event handlers. This vulnerability, exclusive to the desktop environment and not affecting mobile versions, could lead to the execution of arbitrary JavaScript code at the browser's core level, taking over full control of the browser.
• CVE-2024-29943 (CVSS score 8.8) is an out-of-bounds access issue resulting from a security check bypass. Through specially crafted inputs attackers could breach security perimeters to execute unauthorized reads or writes on JavaScript objects, setting the stage for potential code execution attacks.

The flaws were identified by Manfred Paul during the Pwn2Own 2024 hacking event. Despite the standard 90-day window given to vendors to address vulnerabilities post-Pwn2Own, Mozilla expedited its response, releasing patches within a day after the contest concluded. This means the users shoupd patch ASAP.