Mozilla Issues Emergency Patch for Critical Firefox Vulnerability
Recently, Mozilla issued a critical security patch for Firefox to address a zero-day vulnerability that is being actively exploited by attackers. The vulnerability, identified as CVE-2024-9680, is a use-after-free flaw in Firefox’s Animation timelines that allows attackers to execute malicious code on a user’s system. It has a CVSS v3 severity score of 9.8 Critical.
CVE-2024-9680: A Closer Look
Discovered by ESET researcher Damien Schaeffer, this use-after-free flaw was found in Firefox’s Animation timelines, a feature of the Web Animations API. This API is responsible for controlling and synchronizing web page animations.
A use-after-free vulnerability occurs when memory that has been previously freed by the program is still accessible, allowing malicious actors to inject their own harmful data into the freed memory. This can lead to code execution, which, in this case, could allow attackers to take control of an affected system.
According to Mozilla’s security bulletin, this vulnerability has already been exploited, meaning the threat is real and immediate. An attacker could use this flaw to execute arbitrary code, potentially installing malware or gaining further control over a user’s device.
Impact on Firefox and ESR Versions
The vulnerability affects both the latest Firefox release and extended support releases (ESR), making it critical for all users to update their browsers. Mozilla has released patches in the following versions:
- Firefox 131.0.2
- Firefox ESR 115.16.1
- Firefox ESR 128.3.1
While details about how the vulnerability is being exploited are scarce, experts suggest several possibilities. Attackers could use the flaw as part of a watering hole attack, where specific websites are compromised to infect visitors with malware, or through a drive-by download tactic, tricking users into visiting malicious websites that automatically deliver harmful payloads.
The lack of information on the specific methods used by threat actors emphasizes the need for swift action. Mozilla’s advice is simple: update Firefox immediately. Users can easily apply the update by going to Settings > Help > About Firefox, where the browser will automatically install the latest version. A restart is required for the patch to take effect.
Conclusion
Given that this is an actively exploited Firefox Zero-Day vulnerability, meaning it’s being weaponized before a patch was issued, Mozilla advises users to upgrade as soon as possible. Without timely updates, users remain exposed to attackers leveraging this vulnerability for malicious purposes.
By keeping your Firefox browser up to date with latest security patches, you can protect yourself from vulnerabilities that may otherwise be exploited to compromise your system. Stay safe online!
The sources for this article include a story from BleepingComputer.