Emergency Security Update Issued by Mozilla for Firefox Zero-Day Exploited in Attacks

October 9, 2024

Mozilla has rolled out an emergency security patch for the Firefox browser to rectify a critical use-after-free vulnerability that is being actively exploited. The flaw, known as CVE-2024-9680, was unearthed by Damien Schaeffer, a researcher at ESET. This type of vulnerability arises when a program continues to use memory that has already been freed, enabling malicious actors to insert their own harmful data into the memory region to carry out code execution. Animation timelines, a component of Firefox's Web Animations API, which control and synchronize animations on web pages, are where this flaw occurs.

"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines," the security bulletin stated. It also mentioned that there have been reports of this vulnerability being exploited in the wild.

The vulnerability affects the most recent Firefox version (standard release) as well as the extended support releases (ESR). Fixes have been introduced in the following versions, to which users are advised to upgrade promptly: Due to the active exploitation status of CVE-2024-9680 and the absence of details regarding the targeting methods, it is critical to upgrade to the latest versions. To update to the newest version, users should launch Firefox, navigate to Settings -> Help -> About Firefox, where the update should initiate automatically. A restart of the program will be necessary for the changes to take effect.

Both Mozilla and ESET have been approached for more information about the vulnerability, its exploitation, and the targets. Updates will be provided as more information becomes available.

So far in 2024, Mozilla has had to address zero-day vulnerabilities in Firefox only once. On March 22, the company issued security updates to rectify CVE-2024-29943 and CVE-2024-29944, both critical-severity issues discovered by Manfred Paul at the Pwn2Own Vancouver 2024 hacking competition.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.