Hacker News new | past | comments | ask | show | jobs | submit login

Perhaps they moved fast:

"Mozilla is aware of websites exploiting this vulnerability already."




We are not aware of any such thing. As rebelwebmaster noted, when we know that we put it in our advisory.

Clearly the vulnerabilities are exploitable as demonstrated by Manfred Paul's winning Pwn2Own entry. The details were disclosed only to Zero Day Initiative staff (the contest organizers) and Mozilla. They have not been discovered on any website in the wild.


Tails has updated their advisory to remove that statement: https://tails.boum.org/security/prototype_pollution/index.en...


Perhaps Tails copy/pasted the page from an older notice?

Although the two patches have now been public for ~6 days at this point.


Who are "we" here?


Judging by the post and the user's post history, almost certainly 'we' refers to Mozilla.


Post history suggested at best ex- Mozilla to me.


Citation needed.

Also, they've specifically called that out in the advisory when they're aware of that being the case. See the last out-of-band security update they released for example:

https://www.mozilla.org/en-US/security/advisories/mfsa2022-0...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: