Firefox 131 Update Patches Exploited Zero-Day Vulnerability

2 months ago 16
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Mozilla on Wednesday released a Firefox update that addresses a security defect exploited in the wild as a zero-day for remote code execution.

The vulnerability, tracked as CVE-2024-9680, is a high-severity use-after-free issue in the browser’s Animation timeline, which displays a synchronized graphic representation for all animations applied to a specific element or its children.

“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines,” Mozilla notes in its advisory.

Use-after-free vulnerabilities are memory safety bugs that occur when dynamic memory is incorrectly used during a program’s operation. Because an application reuses or references a memory location after freeing it, an attacker could enter malicious data to that memory location to achieve code execution.

“We have had reports of this vulnerability being exploited in the wild,” the browser maker notes.

Mozilla has not provided details on the observed attacks. Cybersecurity firm ESET has been credited with finding CVE-2024-9680 and SecurityWeek has reached out to the company for information on the attacks.

Security updates have been released for both Firefox and its extended support releases. Firefox version 131.0.2 and Firefox ESR versions 128.3.1 and 115.16.1 contain the patches.

The browser updates are being rolled out only one week after Mozilla pushed Firefox 131 to the stable channel with patches for 13 bugs, and released Firefox ESR versions 128.3 and 115.16 with fixes for several of these flaws.

Advertisement. Scroll to continue reading.

CVE-2024-9680 is the first documented Firefox zero-day of 2024 to be exploited in the wild.

In March, however, Mozilla patched two browser zero-days that were demonstrated at Pwn2Own Vancouver 2024. Tracked as CVE-2024-29943 and CVE-2024-29944, they were discovered by security researcher Manfred Paul, who chained them for sandbox escape and code execution on the system.

Related: Chrome, Firefox Updates Patch High-Severity Vulnerabilities

Related: Copy2Pwn Zero-Day Exploited to Bypass Windows Protections

Related: So Long, Internet Explorer. The Browser Retires Today

Related: Critical Flaw in NSS Cryptographic Library Affects Several Popular Applications

Read Entire Article