Mozilla, the organization behind the popular browser Firefox, released a solution on Wednesday to address a zero-day vulnerability that has reportedly been taken advantage of. This vulnerability, identified as CVE-2024-9680 by NIST, is currently marked as “awaiting analysis.” To safeguard their systems from potential attacks, users of Firefox are advised to upgrade to the most recent version of the browser and the extended support releases.
Given the widespread utilization of Firefox, this issue poses a considerable risk, especially for systems that have not been kept up to date. While no specific information about the perpetrators or exploitation techniques has been shared, potential attack methods could involve drive-by downloads or malevolent websites.
Memory-Unsafe Programming Languages Revealed by Use-after-Free Weakness
The individual behind the exploitation found a use-after-free weakness within Animation timelines, which are part of an API responsible for showcasing animations on web pages. A use-after-free error emerges when a link in dynamic memory remains open after already being used. This issue typically arises in code written using a programming language lacking automatic memory handling, such as C or C++. The U.S. government’s push to move away from memory-unsafe programming languages aims to forestall such weaknesses.
NOTE: Major updates were released by both Microsoft and Apple during this month’s Patch Tuesday. Learn more here.
“We have received reports of this exploited vulnerability,” stated Mozilla.
“Within sixty minutes of obtaining the sample, we gathered a team consisting of security, browsing, compiler, and platform engineers to dissect the exploit, trigger its payload, and comprehend its operation,” commented Tom Ritter, a security engineer at Mozilla, in an October 11 blog post.
Ritter acknowledged that Mozilla implemented the fix within a mere 25 hours.
“Our team is continually evaluating the exploit to devise additional robust measures to make deploying Firefox exploits more difficult and less frequent,” he added.
This is not the first instance of Mozilla encountering a cybersecurity event. In 2015, a severe weakness permitted assailants to circumvent the browser’s same-origin policy and access local files. In 2019, the company rectified a zero-day flaw that malefactors were actively exploiting to seize control of systems by deceiving users into visiting malevolent sites, highlighting the importance of keeping abreast with the latest browser editions.
Nevertheless, Mozilla flagged an advisory for only one other critical vulnerability in the past year, a read-or-write vulnerability discovered by Trend Micro in March.
Recent Targeting of Different Web Browsers
Several alternative web browsers have suffered cyberattacks in recent times:
- Google Chrome: Owing to its extensive adoption rate, Chrome has been a frequent target. For instance, in 2022, Google addressed a critical zero-day vulnerability linked to a Type Confusion bug in the V8 JavaScript engine, enabling arbitrary code execution.
- Microsoft Edge: In 2021, a sequence of vulnerabilities enabled malefactors to execute code remotely, with one flaw discovered in the WebRTC component.
- Apple Safari: Beginning in 2021, Apple has fixed several zero-day vulnerabilities, including those utilized to target iPhone and Mac users via WebKit, Safari’s operating engine.
Installation Instructions for the Mozilla Fix
The patch is included in the following versions:
- Firefox 131.0.2.
- Firefox ESR 115.16.1.
- Firefox ESR 128.3.1.
To update your browser, navigate to Settings -> Help -> About Firefox. Once the update has been applied, restart the browser.
When asked for a statement, Mozilla directed us to their security blog.
About Author
