- 96/2024
- Critical
Mozilla has released an updated Firefox version 124.0.1, and Firefox ESR version 115.9.1 to fix two zero-day vulnerabilities.
The addressed vulnerabilities could allow the remote attacker to execute arbitrary code, and gain access to the affected products by fooling range-based bounds check elimination or injecting an event handler into a privileged object.
The addressed vulnerabilities:
1. Mozilla Firefox Code Execution Vulnerability (CVE-2024-29943):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Mozilla Firefox Code Execution Vulnerability (CVE-2024-29944):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
It should be highlighted that Firefox is warning that the critical vulnerabilities (CVE- 2024-29943, CVE-2024-29944) are being actively exploited during the Pwn2Own Vancouver 2024 hacking competition.
Vulnerabilities
- CVE-2024-29943
- CVE-2024-29944
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.