Mozilla announced a critical vulnerability affecting its Firefox and Firefox ESR (Extended Support Release) browsers, which is being actively exploited in the wild.
The flaw, tracked as CVE-2024-9680, involves a use-after-free vulnerability in the Animation timeline subsystem. If left unpatched, this issue allows attackers to execute arbitrary code in the content process of the browser, potentially compromising user systems.
Discovery and exploitation
The vulnerability was discovered by Damien Schaeffer from ESET. In this case, a use-after-free flaw occurs when memory that has already been freed is accessed again, leading to unpredictable behavior. This type of flaw is particularly dangerous because it can be manipulated by attackers to achieve arbitrary code execution, often enabling them to run malicious code or install malware.
In the context of CVE-2024-9680, the issue lies within the handling of Animation timelines in Firefox. Attackers could potentially exploit this by crafting specially designed web content that interacts with the animation feature, triggering the use-after-free error and allowing them to execute malicious code on the victim’s device.
With Firefox serving hundreds of millions of users globally, the scope of this vulnerability is significant. Firefox ESR, widely used in enterprise environments and educational institutions for its long-term support features, is also affected. The critical nature of this vulnerability, combined with evidence of active exploitation, means that users are strongly urged to update immediately.
Affected Firefox versions and patch availability
Mozilla has issued patches for the following versions:
- Firefox 131.0.2
- Firefox ESR 128.3.1
- Firefox ESR 115.16.1
These updates address the flaw and ensure the animation timeline subsystem no longer exposes users to potential code execution risks.
To upgrade the Firefox browser to the above versions, follow these steps:
- Open the Firefox menu by clicking the three horizontal lines in the top-right corner.
- Select Help and then About Firefox.
- Firefox will automatically check for updates and download the latest version.
- After downloading, click Restart to update Firefox.
Leave a Reply