ClickCease Mozilla publie un correctif d'urgence pour une vulnérabilité critique de Firefox

Rejoignez notre populaire bulletin d'information

Rejoignez plus de 4 500 professionnels de Linux et de l'Open Source!

2 fois par mois. Pas de spam.

Mozilla publie un correctif d'urgence pour une vulnérabilité critique de Firefox

par Rohan Timalsina

Le 22 octobre 2024 - L'équipe d'experts de TuxCare

Recently, Mozilla issued a critical security patch for Firefox to address a zero-day vulnerability that is being actively exploited by attackers. The vulnerability, identified as CVE-2024-9680, is a use-after-free flaw in Firefox’s Animation timelines that allows attackers to execute malicious code on a user’s system. It has a CVSS v3 severity score of 9.8 Critical.

 

CVE-2024-9680: A Closer Look

 

Discovered by ESET researcher Damien Schaeffer, this use-after-free flaw was found in Firefox’s Animation timelines, a feature of the Web Animations API. This API is responsible for controlling and synchronizing web page animations.

A use-after-free vulnerability occurs when memory that has been previously freed by the program is still accessible, allowing malicious actors to inject their own harmful data into the freed memory. This can lead to code execution, which, in this case, could allow attackers to take control of an affected system.

According to Mozilla’s security bulletin, this vulnerability has already been exploited, meaning the threat is real and immediate. An attacker could use this flaw to execute arbitrary code, potentially installing malware or gaining further control over a user’s device.

 

Impact on Firefox and ESR Versions

 

The vulnerability affects both the latest Firefox release and extended support releases (ESR), making it critical for all users to update their browsers. Mozilla has released patches in the following versions:

  • Firefox 131.0.2
  • Firefox ESR 115.16.1
  • Firefox ESR 128.3.1

While details about how the vulnerability is being exploited are scarce, experts suggest several possibilities. Attackers could use the flaw as part of a watering hole attack, where specific websites are compromised to infect visitors with malware, or through a drive-by download tactic, tricking users into visiting malicious websites that automatically deliver harmful payloads.

The lack of information on the specific methods used by threat actors emphasizes the need for swift action. Mozilla’s advice is simple: update Firefox immediately. Users can easily apply the update by going to Settings > Help > About Firefox, where the browser will automatically install the latest version. A restart is required for the patch to take effect.

 

Conclusion

 

Given that this is an actively exploited Firefox Zero-Day vulnerability, meaning it’s being weaponized before a patch was issued, Mozilla advises users to upgrade as soon as possible. Without timely updates, users remain exposed to attackers leveraging this vulnerability for malicious purposes.

By keeping your Firefox browser up to date with latest security patches, you can protect yourself from vulnerabilities that may otherwise be exploited to compromise your system. Stay safe online!

 

Les sources de cet article comprennent un article de BleepingComputer.

Résumé
Mozilla publie un correctif d'urgence pour une vulnérabilité critique de Firefox
Nom de l'article
Mozilla publie un correctif d'urgence pour une vulnérabilité critique de Firefox
Description
Learn about CVE-2024-9680, a critical Zero-Day vulnerability in Firefox, and why updating your browser is essential for security.
Auteur
Nom de l'éditeur
de TuxCare
Logo de l'éditeur

Vous cherchez à automatiser la correction des vulnérabilités sans redémarrage du noyau, temps d'arrêt du système ou fenêtres de maintenance programmées ?

Devenez rédacteur invité de TuxCare

Courrier

Aidez-nous à comprendre
le paysage Linux !

Répondez à notre enquête sur l'état de l'Open Source et vous pourrez gagner l'un des nombreux prix, dont le premier est d'une valeur de 500 $ !

Votre expertise est nécessaire pour façonner l'avenir d'Enterprise Linux !