Mozilla has issued an emergency safety replace for the Firefox browser to handle a important use-after-free vulnerability that’s at the moment exploited in assaults.
The vulnerability, tracked as CVE-2024-9680, and found by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.
This kind of flaw happens when reminiscence that has been freed remains to be utilized by this system, permitting malicious actors so as to add their very own malicious information to the reminiscence area to carry out code execution.
Animation timelines, a part of Firefox’s Net Animations API, are a mechanism that controls and synchronizes animations on internet pages.
“An attacker was capable of obtain code execution within the content material course of by exploiting a use-after-free in Animation timelines,” reads the safety bulletin.
“Now we have had stories of this vulnerability being exploited within the wild.”
The vulnerability impacts the newest Firefox (normal launch) and the prolonged assist releases (ESR).
Fixes have been made accessible within the beneath variations, which customers are beneficial to improve to right away:
- Firefox 131.0.2
- Firefox ESR 115.16.1
- Firefox ESR 128.3.1
Given the lively exploitation standing for CVE-2024-9680 and the dearth of any info on how persons are focused, upgrading to the newest variations is important.
To improve to the newest model, launch Firefox and go to Settings -> Assist -> About Firefox, and the replace ought to begin mechanically. A restart of this system shall be required for the modifications to use.
Supply: BleepingComputer
BleepingComputer has contacted each Mozilla and ESET to be taught extra concerning the vulnerability, the way it’s being exploited, and in opposition to whom, and we’ll replace this submit once we obtain extra info.
All through 2024, up to now, Mozilla needed to repair zero-day vulnerabilities on Firefox solely as soon as.
On March 22, the web firm launched safety updates to handle CVE-2024-29943 and CVE-2024-29944, each critical-severity points found and demonstrated by Manfred Paul throughout the Pwn2Own Vancouver 2024 hacking competitors.
