Mozilla capped all four bugs among 18 security advisories addressed in Firefox 28. Google also paid out more than $150,000 to the winners of its Pwnium contest which went after bugs in Chromium and Chrome OS. Researchers from French exploit vendor VUPEN found a memory corruption issue leading to an exploitable use-after-free condition. Mozilla said: TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution.
Source: https://threatpost.com/mozilla-patches-pwn2own-zero-days-in-firefox-28/104889/