Mozilla, the force behind Firefox, rolled out a fix on Wednesday for a critical security flaw that has already been exploited. The vulnerability is logged as CVE-2024-9680 and is currently “awaiting analysis” according to NIST. If you use Firefox, you should update to the latest version to safeguard your system against potential threats.
Because so many people use Firefox, the impact of this vulnerability is serious, especially for those who haven’t kept their browsers up to date. While details about who is behind the attack or how it’s being executed are scarce, some possible methods attackers might use include drive-by downloads or compromised websites.
This flaw stems from a use-after-free issue related to Animation timelines, part of an API that controls animations in web browsers. A use-after-free error happens when memory that’s already been utilized remains accessible, a problem often tied to programming languages that don’t manage memory automatically, like C or C++. The government encourages avoiding these memory-unsafe languages to fend off such vulnerabilities.
Mozilla acknowledged reports of this flaw being exploited in real-world scenarios. Tom Ritter, a security engineer at Mozilla, shared in a blog post that the team sprang into action within an hour of confirming the exploit, working together to analyze how it functioned and trigger its payload. Remarkably, they pushed out a fix in just 25 hours.
Ritter mentioned the team will keep examining the exploit to implement stronger defenses, making it harder for attacks on Firefox to take place.
This isn’t Mozilla’s first brush with security issues. In 2015, a significant flaw allowed attackers to bypass Firefox’s same-origin policy and access local files. Again in 2019, they patched a zero-day exploit that could take over systems by directing users to harmful sites. These incidents highlight the importance of keeping browsers updated.
In the past year, Mozilla has warned about just one other critical vulnerability, which was discovered by Trend Micro in March.
And it’s not just Firefox that faces these threats. Other web browsers have fallen victim to cyberattacks as well. Google Chrome, for example, was targeted in 2022 when a severe zero-day vulnerability involving a Type Confusion bug in its V8 JavaScript engine was patched. Microsoft Edge had a series of vulnerabilities in 2021 that let attackers carry out remote code execution. Apple Safari has also faced zero-day vulnerabilities since 2021, especially those that affected iPhone and Mac users.
To apply the latest Mozilla patch, update to one of the following versions:
– Firefox 131.0.2
– Firefox ESR 115.16.1
– Firefox ESR 128.3.1
To update, head to Settings -> Help -> About Firefox. After applying the update, reopen the browser. For more details, check out Mozilla’s security blog.
