Firefox Announces Same-Day Update After Two Minor Pwn2Own Exploits (mozilla.org)
(Sunday May 18, 2025 @11:34AM (EditorDavid)
from the quick-as-a-fox dept.)
- Reference: 0177605209
- News link: https://tech.slashdot.org/story/25/05/18/0558219/firefox-announces-same-day-update-after-two-minor-pwn2own-exploits
- Source link: https://blog.mozilla.org/security/2025/05/17/firefox-security-response-to-pwn2own-2025/
During this year's annual Pwn2Own contest, two researchers from Palo Alto Networks demonstrated an out-of-bounds write vulnerability in Mozilla Firefox, [1]reports Cyber Security News , "earning $50,000 and 5 Master of Pwn points." And [2]the next day another participant used an integer overflow to exploit Mozilla Firefox (renderer only).
But [3]Mozilla's security blog reminds users that a sandbox escape would be required to break out from a tab to gain wider system access "due to Firefox's robust security architecture" — and that "neither participating group was able to escape our sandbox..."
> We have verbal confirmation that this is attributed to the [4]recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks. This continues to build confidence in Firefox's strong security posture.
Even though neither attack could escape their sandbox, "Out of abundance of caution, we just released new Firefox versions... all within the same day of the second exploit announcement." (Last year Mozilla [5]responded to an exploitable security bug within 21 hours , they point out, even winning an [6]award as the fastest to patch .)
The new updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible...."
> To review and fix the reported exploits a diverse team of people from all across the world and in various roles (engineering, QA, release management, security and many more) rushed to work. We tested and released a new version of Firefox for all of our supported platforms, operating systems, and configurations with rapid speed....
>
> Our work does not end here. We continue to use opportunities like this to improve our incident response. We will also continue to study the reports to identify new hardening features and security improvements to keep all of our Firefox users across the globe protected.
[1] https://cybersecuritynews.com/pwn2own-0-day-vulnerabilities/
[2] https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results
[3] https://blog.mozilla.org/security/2025/05/17/firefox-security-response-to-pwn2own-2025/
[4] https://attackanddefense.dev/2025/04/09/hardening-the-firefox-frontend-with-content-security-policies.html
[5] https://blog.mozilla.org/security/2024/04/04/rapidly-leveling-up-firefox-security/
[6] https://www.zerodayinitiative.com/blog/2024/8/1/introducing-the-vanguard-awards
But [3]Mozilla's security blog reminds users that a sandbox escape would be required to break out from a tab to gain wider system access "due to Firefox's robust security architecture" — and that "neither participating group was able to escape our sandbox..."
> We have verbal confirmation that this is attributed to the [4]recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks. This continues to build confidence in Firefox's strong security posture.
Even though neither attack could escape their sandbox, "Out of abundance of caution, we just released new Firefox versions... all within the same day of the second exploit announcement." (Last year Mozilla [5]responded to an exploitable security bug within 21 hours , they point out, even winning an [6]award as the fastest to patch .)
The new updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible...."
> To review and fix the reported exploits a diverse team of people from all across the world and in various roles (engineering, QA, release management, security and many more) rushed to work. We tested and released a new version of Firefox for all of our supported platforms, operating systems, and configurations with rapid speed....
>
> Our work does not end here. We continue to use opportunities like this to improve our incident response. We will also continue to study the reports to identify new hardening features and security improvements to keep all of our Firefox users across the globe protected.
[1] https://cybersecuritynews.com/pwn2own-0-day-vulnerabilities/
[2] https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results
[3] https://blog.mozilla.org/security/2025/05/17/firefox-security-response-to-pwn2own-2025/
[4] https://attackanddefense.dev/2025/04/09/hardening-the-firefox-frontend-with-content-security-policies.html
[5] https://blog.mozilla.org/security/2024/04/04/rapidly-leveling-up-firefox-security/
[6] https://www.zerodayinitiative.com/blog/2024/8/1/introducing-the-vanguard-awards
Re: (Score:2)
Have you used it in the last, say, three years? They made massive improvements. I run with uBlock Origin, uMatrix (probably not for most folks, but I'm a paranoid OCD control freak), Greasemonkey with a dozen installed scripts, and Facebook Container, and it's lightning fast. They went through a bad spot 5-10 years ago, but for the last several years it's been as fast as Chrome for me, and unlike Chrome, doesn't constantly try to break ad-blocking extensions.