See https://bugzilla.mozilla.org/show_bug.cgi?id=1894735#c15. It was code specifically targeting Firefox on Windows to blame.

Common Voice is part of the Mozilla Foundation, not the Mozilla Corporation responsible for shipping Firefox. I.e. what donations to Mozilla actually go towards.

Notably, MV3 extensions are now supported.

Isn't openssl included in the oss-fuzz project? If hanno caught it this quickly with his fuzzer, would seem to be surprising if they didn't also.

It is, it'll build a few fuzzers hitting different areas[0]. The important function in many of those `.c` files is `FuzzerTestOneInput` which is effectively the entrypoint for a single fuzz test.

Taking a look at x509.c[1] which I believe is the most likely to be able to reach the punnycode parser. (I am not at all familiar with the codebase). You can see that the OpenSSL fuzzer is basically doing a holistic fuzz (I assume the i2d* and d2i* functions exercise the parser), that is its just invoking key entrypoints that in theory can exercise all the rest of the functionality with the correct inputs.

Hanno's fuzzer on the other hand, is explicitly only testing the `ossl_punnycode_decode` function[3].

Given the breadth of the fuzzer, I think its very possible OSS-Fuzz just didn't hit it.

[0] https://github.com/openssl/openssl/blob/master/fuzz/

[1] https://github.com/openssl/openssl/blob/master/fuzz/x509.c

[2] https://twitter.com/hanno/status/1587775675397726209/photo/2

Given how much horse power and experience they have, this is very disappointing.

"They" who? Even since Heartbleed, the OpenSSL project is still woefully underfunded given its importance to... well, everything on the internet.

I meant OSS-fuzz, i.e. Google & co

Just because a project uses oss-fuzz, you can't assume it has good fuzz coverage. In this case, they probably should have written a specialized fuzz target for the Punycode parser. Parsers like this are easy to fuzz and such bugs are typically caught very quickly, often in mere seconds. With a more general fuzz target, it can take much longer to come up with input that triggers the bug.

Mozilla occasionally rolls out features in the current release via remote mechanisms. So it's rolling out to existing v101 installs now. I would assume that v102 will also ship with it on by default.

These are just the pwn2own vulnerabilities. Nowhere did Mozilla ever say they were being exploited in the wild.

Perhaps they moved fast:

"Mozilla is aware of websites exploiting this vulnerability already."

We are not aware of any such thing. As rebelwebmaster noted, when we know that we put it in our advisory.

Clearly the vulnerabilities are exploitable as demonstrated by Manfred Paul's winning Pwn2Own entry. The details were disclosed only to Zero Day Initiative staff (the contest organizers) and Mozilla. They have not been discovered on any website in the wild.

Tails has updated their advisory to remove that statement: https://tails.boum.org/security/prototype_pollution/index.en...

Perhaps Tails copy/pasted the page from an older notice?

Although the two patches have now been public for ~6 days at this point.

Who are "we" here?

Judging by the post and the user's post history, almost certainly 'we' refers to Mozilla.

Post history suggested at best ex- Mozilla to me.

Citation needed.

Also, they've specifically called that out in the advisory when they're aware of that being the case. See the last out-of-band security update they released for example:

https://www.mozilla.org/en-US/security/advisories/mfsa2022-0...

The article goes out of its way to quote a Google engineer but doesn't bother talking to anyone at Mozilla outside of quoting bug comments?

Hi, I'm the author of this story. Mozilla declined to make anyone available for an interview and would only provide canned responses to questions via email (included in the story).

It was Cylance made by Blackberry.

I had an awful experience with Cylance and some open source software I maintained, too-- false positive detections, and they wouldn't fix it.

Their website is... blech.

They received a MOSS grant once upon a time.

https://blog.mozilla.org/blog/2017/04/10/mozilla-awards-3650...

That said, given Mozilla's current financial troubles, it seems pretty unlikely they'd be in a position to hire.

Looks like they've fixed the link now: https://blog.mozilla.org/community/2020/12/15/the-new-faces-...