Users of the Tails operating system and Tor Browser have become the latest targets of a critical zero-day vulnerability that was initially discovered in Firefox.
The flaw, tracked as CVE-2024-9680, involves a dangerous “use-after-free” bug in Firefox's Animation timeline subsystem, allowing attackers to execute arbitrary code on vulnerable systems. Tails 6.8.1, an emergency release from the privacy-focused OS, and Tor Browser 13.5.7 both address this vulnerability. The issue was first identified by security researcher Damien Schaeffer from ESET, and Mozilla confirmed its active exploitation late last week.
“Mozilla is aware of this attack being used in the wild against Tor Browser users,” mentions Tails in the release announcement.
The vulnerability is particularly concerning for Tor Browser and Tails users, who rely on these platforms for anonymous browsing. Mozilla's advisory explained that the bug arises from improper memory management, where memory freed up during the handling of Animation timelines can be accessed again, creating the possibility for an attacker to inject malicious code. Schaeffer's report was promptly forwarded to Mozilla, who worked rapidly to issue a fix. Tom Ritter of Mozilla later revealed that the patch was developed within 25 hours of the report, reflecting their strong focus on browser security and timely response to critical findings.
While Tor Browser and Tails provide layers of protection for privacy-conscious users, the nature of this exploit is alarming. According to Mozilla, this vulnerability could be weaponized to take full control of the Tor Browser without necessarily deanonymizing the user — an important distinction for those relying on Tails for privacy.
“Using this vulnerability, an attacker could take control of Tor Browser, but probably not deanonymize you in Tails,” the Tails team reassured its users in their release notes for version 6.8.1. However, this still represents a severe risk, as control of the browser could enable further exploitation.
The Tor Browser, which is built on Firefox ESR, was immediately impacted by the same flaw as its mainstream counterpart. The team quickly issued version 13.5.7 to mitigate the issue by incorporating Mozilla's patch. Tails, meanwhile, included this update in its own emergency release to protect users who rely on its built-in Tor Browser for anonymous browsing over The Onion Router network. Both updates were made available on October 10, 2024, with users urged to update immediately to avoid falling victim to active exploitation in the wild.
Tails, an amnesic operating system, is specifically designed to preserve privacy and anonymity, routing internet traffic through the Tor network and leaving no trace of user activity on the host system. Because of its focus on protecting users from mass surveillance and oppressive regimes, the discovery of this vulnerability raises significant concerns about the security of those who depend on Tails for privacy in sensitive environments.
Zendesk Vulnerability Allows Slack Takeovers Through Apple OAuth Exploit
Leave a Reply