Mozilla fixes Firefox zero-day actively exploited in attacks

by · BleepingComputer

Mozilla has issued an emergency security update for the Firefox browser to address a critical use-after-free vulnerability that is currently exploited in attacks.

The vulnerability, tracked as CVE-2024-9680, and discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.

This type of flaw occurs when memory that has been freed is still used by the program, allowing malicious actors to add their own malicious data to the memory region to perform code execution.

Animation timelines, part of Firefox's Web Animations API, are a mechanism that controls and synchronizes animations on web pages.

"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines," reads the security bulletin.

"We have had reports of this vulnerability being exploited in the wild."

The vulnerability impacts the latest Firefox (standard release) and the extended support releases (ESR).

Fixes have been made available in the below versions, which users are recommended to upgrade to immediately:

  • Firefox 131.0.2
  • Firefox ESR 115.16.1
  • Firefox ESR 128.3.1

Given the active exploitation status for CVE-2024-9680 and the lack of any information on how people are targeted, upgrading to the latest versions is essential.

To upgrade to the latest version, launch Firefox and go to Settings -> Help -> About Firefox, and the update should start automatically. A restart of the program will be required for the changes to apply.

Updating Firefox
Source: BleepingComputer

BleepingComputer has contacted both Mozilla and ESET to learn more about the vulnerability, how it's being exploited, and against whom, and we will update this post when we receive more information.

Throughout 2024, so far, Mozilla had to fix zero-day vulnerabilities on Firefox only once.

On March 22, the internet company released security updates to address CVE-2024-29943 and CVE-2024-29944, both critical-severity issues discovered and demonstrated by Manfred Paul during the Pwn2Own Vancouver 2024 hacking competition.