Pwn2Own 2019

[Sampei Nihira]

Hi,

.....The experts chained a just-in-time (JIT) bug and an out-of-bounds write flaw in the Windows kernel..........

https://securityaffairs.co/wordpress/82 ... -day2.html

Is Pale Moon also vulnerable to the JIT compiler bug?

[vannilla]

Is there an explanation of the bug, or it's just a "this bug exists" type of announcement?

[gepus]

Important - it needs a specially crafted website for the exploit to work.
Since I assume that Pale Moon basically inherits its ECMAScript engine from that of Mozilla, chances that the exploit could work are high.
It would have been useful if the article would specify if it applies to all previous versions of Firefox as well.

As far as I can recall there were bugs in the JIT implementation in the past and it wouldn't come as a surprise if there still are.

[yami_]

If I understand correctly this exploit targets the current Firefox version. Some significant changes were made to SpiderMonkey since UXP was forked. Also the target of this exploit is the host operating system of an virtualized guest OS running the web browser, so in theory it might only affect the host and not guest OS. Hard to say what is true since AFAIK no PoC was published.

[Sampei Nihira]

The vulnerability has already been fixed by the Mozilla team:

https://www.mozilla.org/en-US/security/ ... sa2019-09/

[gepus]

Since Mozilla deliberately doesn't mention anymore which versions of Firefox are affected (keeping recent introduced bugs obscured) one can only guess.
It seems that as yami_ suggests it's a new bug which doesn't affect previous versions of Firefox (pre 60) and Pale Moon.

[JustOff]

Actually, I suspect that previous versions of Firefox and Pale Moon/Basilisk are also affected by these new vulnerabilities. However, the fixes have already been published and I'm sure that, if necessary, Moonchild will apply them to the UXP platform as part of porting the security updates he is currently working on.

[yami_]

Mozilla did publish the patches?

[JustOff]

Of course they did, as always. Corresponding bugs are hidden, but not patches.

[yami_]

Oh yeah, of course patches are public... Sorry for bothering you JustOff. Looks like I need more sleep.

[Moonchild]

As per usual, I always port all applicable sec patches across from Mozilla (or write my own to address applicable vulnerabilities) the moment I'm granted access to the relevant sec bugs that remain hidden from the public.
Note: all applicable patches. Far from everything applies to UXP or Pale Moon. For example: "sandbox escapes" are related to the e10s "sandbox", and that is a big N/A for us because we don't use e10s and don't even have this sandbox code anymore (which, by the way, was misconstrued by opponents of our direction as "removing essential security" -- they either didn't understand that the code was specifically for electrolysis, or chose to ignore that fact to get more sensationalist points).

[Sampei Nihira]

I noticed that the latest versions of Pale Moon and Basilisk have not received updates for CVE-2019-9810 and CVE-2019-9813 exploits that allowed Firefox to be bypassed.
Is my conclusion that they were not exposed to vulnerabilities correct?
TH.

[Moonchild]

ZDI-CAN-8368 was fixed. This was Richard Zhu and Amat Cama's entry from pwn2own 2019.
Looking up the CVE for that, that's CVE-2019-9810.

The other did not apply (because it's an e10s sandbox escape).

[Sampei Nihira]