Firefox Update Patches Exploited Vulnerability

Mozilla, the company behind the browser Firefox, issued a fix on Wednesday for a zero-day vulnerability they say has been exploited. NIST lists the vulnerability as CVE-2024-9680, and its status as “awaiting analysis.” Firefox users should update to the latest version of the browser and of the extended support releases to protect their systems from potential attacks.

Due to widespread use of Firefox, this issue poses a significant risk, particularly for systems that haven’t been updated. No specific details about the attackers or exploitation methods have been released, but possible attack vectors include drive-by downloads or malicious websites.

Use-after-free flaw highlights cracks in memory-unsafe programming languages

The attacker found the use-after-free flaw in Animation timelines, part of an API that displays animations on web pages. A use-after-free bug occurs when a connection in dynamic memory is left open after already being used. It can stem from code written in a programming language that doesn’t use automatic memory management, such as C or C++. The U.S. government’s recommendation away from memory-unsafe languages is an attempt to prevent this type of flaw.

SEE: Both Microsoft and Apple released major fixes on this month’s Patch Tuesday.

“We have had reports of this vulnerability being exploited in the wild,” Mozilla wrote.

“Within an hour of receiving the sample, we had convened a team of security, browser, compiler, and platform engineers to reverse engineer the exploit, force it to trigger its payload, and understand how it worked,” wrote Tom Ritter, security engineer at Mozilla, in a blog post on Oct. 11.

Mozilla deployed the fix in just 25 hours, Ritter pointed out.

“Our team will continue to analyze the exploit to find additional hardening measures to make deploying exploits for Firefox harder and rarer,” he wrote.

This isn’t the first time Mozilla has experienced a cyber incident. In 2015, a critical flaw allowed attackers to bypass the browser’s same-origin policy and access local files. In 2019, the company patched a zero-day flaw that attackers were actively exploiting to take over systems by tricking users into visiting malicious sites, underscoring the importance of staying updated with the latest browser versions.

However, Mozilla issued an advisory for just one other critical vulnerability in the last year, an out-of-bounds read-or-write vulnerability Trend Micro discovered in March.

Other web browsers have been targeted in recent years

Several other web browsers have been exploited by cyberattackers in recent years:

• Google Chrome: Due to its widespread use, Chrome has been a common target. For example, in 2022, Google patched a serious zero-day vulnerability related to a Type Confusion bug in the V8 JavaScript engine, which allowed for arbitrary code execution.
• Microsoft Edge: In 2021, a series of vulnerabilities allowed attackers to carry out remote code execution, including an issue found in the WebRTC component.
• Apple Safari: Since 2021, Apple has patched a series of zero-day vulnerabilities, including those used to target iPhone and Mac users through WebKit, the engine that runs Safari.

How to apply the Mozilla patch

The following versions include the patch:

• Firefox 131.0.2.
• Firefox ESR 115.16.1.
• Firefox ESR 128.3.1.

To update your browser, go to Settings -> Help -> About Firefox. Re-open the browser after applying the update.

When reached for comment, Mozilla pointed us to their security blog.