Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680)

Mozilla has pushed out an emergency update for its Firefox and Firefox ESR browsers to fix a vulnerability (CVE-2024-9680) that is being exploited in the wild.

About CVE-2024-9680

Reported by ESET malware researcher Damien Schaeffer, CVE-2024-9680 is a use-after-free vulnerability in the browser’s Animation timelines and, according to Mozilla, has been exploited to achieve code execution in the content process.

Additional details about the vulnerability or the attacks are yet to be shared.

According to Mozilla’s engineers, the versions with the fix – Firefox 131.0.2, Firefox ESR 115.16.1 and Firefox ESR 128.3.1 – have been shipped within 25 hours after the vulnerability was reported to them.

How to upgrade your Firefox?

Automatic updates are enabled in Firefox by default, so this latest security update will be delivered to most home users and implemented when they restart their browser.

Those who have turned off the option must check for updates manually (in Settings > General > Firefox Updates), and are urged to upgrade as soon as possible.

CVE-2024-9680

Firefox update options

In enterprise settings, automatic updates are often disabled by the organization’s IT administrators and employees usually don’t have sufficient privileges to check for and implement updates – it’s the IT department’s responsibility to implement them.

Tor Browser, which includes a modified Mozilla Firefox ESR browser, has also been updated to fix the vulnerability.

UPDATE (October 15, 2024, 05:30 a.m. ET):

The Tor Project has released the latest version of the Tails operating system, which uses a modified version of Tor Browser.

“Using [CVE-2024-9680], an attacker could take control of Tor Browser, but probably not deanonymize you in Tails,” they noted.

The team also says that they have no evidence that Tor Browser users were targeted by attackers leveraging this flaw.

The vulnerability has been fixed in:

  • Tor Browser 13.5.7 and 14.0a9
  • Tor Browser for Android 13.5.8
  • Tails 6.8.1

UPDATE (October 16, 2024, 05:30 a.m. ET):

CVE-2024-9680 has also been fixed in Thunderburd, Mozilla’s email client, but the potential for exploitation is low.

“In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts,” Mozilla explained.

UPDATE (November 26, 2024, 08:25 a.m. ET):

ESET researchers have explained how Russia-aligned APT group RomCom leveraged the vulnerability to target users in Europe and North America.

OPIS OPIS

OPIS

Don't miss