A documentary-style account of Mozilla's response to a Firefox zero-day exploit demonstrated at Pwn2Own Berlin by Manfred Paul. The exploit targeted a JIT bounds-check elimination bug in the linear sums optimization, allowing out-of-bounds array access via integer underflow. Mozilla's team received the exploit details in the disclosure room, analyzed why existing fuzzers (particularly Fuzzilli) missed the 4-year-old bug — likely due to Spectre mitigations and debug build performance differences. Within hours, a patch was developed (an early return disabling the optimization), reviewed, and shipped as Firefox 138.0.4 in under 12 hours — a potential new record for Mozilla's 'chemspill' security-driven rapid release process. The piece also explains browser sandbox mechanics and why Pwn2Own renderer-only exploits disable the sandbox via MOZ_DISABLE_CONTENT_SANDBOX.
Sort: