Introduction
A critical security vulnerability has been identified in Mozilla Firefox and Firefox Extended Support Release (ESR) [5], posing significant risks due to its high severity and active exploitation. This flaw, tracked as CVE-2024-9680 [1] [2] [3] [4] [5], necessitates immediate attention and action from affected users and organizations.
Description
A critical security flaw, tracked as CVE-2024-9680 with a CVSSv3 score of 9.8 [5], has been identified in Mozilla Firefox and Firefox Extended Support Release (ESR) [5]. This use-after-free vulnerability [1] [3] [6] [7] [8] [9], which resides in the Animation timeline component of the Firefox Developer Tools, allows remote [3], unauthenticated attackers to inject and execute arbitrary code within the browser’s content process by exploiting freed memory, without requiring privileges or user interaction [4].
Reports indicate that this vulnerability is actively being exploited in the wild [1] [5], with methods including watering hole attacks targeting specific websites and drive-by download campaigns that deceive users into visiting malicious sites [3]. The flaw affects Firefox versions prior to 131.0.2 [7], as well as Firefox ESR versions prior to 128.3.1 and 115.16.1. Affected organizations are advised to review the Mozilla Foundation Security Advisory mfsa2024-51 and apply the necessary updates [6].
Alerts have been issued by international cyber agencies, including the Dutch national cyber center [4], Canada [4], and Italy [4] [6]. The vulnerability was discovered and reported by security researcher Damien Schaeffer from ESET [1] [5]. Mozilla has addressed the issue promptly [5], releasing emergency security updates within 25 hours of the vulnerability being reported, in the following versions: Firefox 131.0.2 [5], Firefox ESR 128.3.1 [1] [3] [4] [5] [8] [9], and Firefox ESR 115.16.1 [1] [3] [4] [5] [8] [9]. Users are urged to upgrade to version 131.0.2 for Firefox and to versions 115.16.1 or 128.3.1 for Firefox ESR to mitigate the risk of exploitation [4].
Immediate action is recommended due to the ongoing exploitation of this flaw [8], which may also include threats such as cross-site scripting (XSS), buffer overflows [3], and man-in-the-middle attacks [3]. It is important to note that Thunderbird is not affected by this vulnerability.
Conclusion
The discovery of CVE-2024-9680 underscores the critical need for vigilance and prompt action in addressing security vulnerabilities. Organizations and users must prioritize updating their software to the latest versions to protect against potential exploits. Continued collaboration between security researchers and software developers is essential to mitigate risks and enhance the security posture of widely used applications like Mozilla Firefox.
References
[1] https://securityaffairs.com/169590/security/mozilla-firefox-actively-exploited-flaw.html
[2] https://www.heise.de/en/news/Firefox-emergency-update-plugs-attacked-security-leak-9976491.html
[3] https://www.techradar.com/pro/security/mozilla-warns-of-critical-firefox-security-flaw-so-patch-immediately
[4] https://www.darkreading.com/cyberattacks-data-breaches/critical-mozilla-firefox-zero-day-code-execution
[5] https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.html
[6] https://digital.nhs.uk/cyber-alerts/2024/cc-4562
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-9680
[8] https://safecomputing.umich.edu/security-alerts/update-mozilla-firefox-browser-zero-day-vulnerability
[9] https://www.helpnetsecurity.com/2024/10/10/cve-2024-9680/