Mozilla and Google developers have fixed critical vulnerabilities in Firefox and Chrome browsers that recently discovered hackers at the Chinese Tianfu Cup competition.Let me remind you that the Tianfu Cup, the largest and most prestigious hacking competition in China, ended at the end of last week.
In fact, the Tianfu Cup is very similar to Pwn2Own and was created precisely after the Chinese government banned local cybersecurity researchers from participating in hacker contests organized overseas in 2018.
“The essence of the competition is to exploit previously unknown vulnerabilities and use them to hack a specific application or device. If the exploit works, and the attack succeeds, the researchers receive points for this, and eventually cash prizes”, – say the organizers of the Tianfu Cup.
As with Pwn2Own, all exploits used and bugs found are reported to the developers of the compromised products, and patches are released shortly after the end of the event. Since this year the participants managed to compromise iOS, Windows 10, Safari, Chrome, Firefox and other products, and soon came fixes and details of the found.
The Firefox vulnerability, identified as CVE-2020-26950, is described by browser developers as an issue related to a use-after-free bug in MCallGetProperty. The flaw was fixed in Firefox 82.0.3, Firefox ESR 78.4.1 and Thunderbird 78.4.2.
In turn, the Chrome vulnerability found in the Tianfu Cup is being tracked as CVE-2020-16016. Google describes it as an incorrect implementation in the base component. The company’s engineers have fixed a bug with an update for Chrome 86, which was released earlier this week.
The exploitation of vulnerabilities CVE-2020-26950 and CVE-2020-16016 was demonstrated at the Tianfu Cup by the team of the Chinese tech giant Qihoo 360. This team eventually became the winner of the competition and achieved 744,500 dollars, that is, almost two-thirds of the total prize pool activities, which this year consisted $1.21 million.
“For example, a vulnerability in Firefox brought Qihoo 360 specialists $40,000, and a problem in Chrome that allowed remote code execution from the sandbox was brought them $100,000”, – say the organizers of the Tianfu Cup.
Let me remind you that also ended the hacking competition Pwn2Own Tokyo, where were hacked NAS, routers and TVs of famous manufacturers.
User Review( votes)