Mozilla has issued an emergency safety replace for the Firefox browser to handle a essential use-after-free vulnerability that’s at the moment exploited in assaults.
The vulnerability, tracked as CVE-2024-9680, and found by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.
This sort of flaw happens when reminiscence that has been freed remains to be utilized by this system, permitting malicious actors so as to add their very own malicious knowledge to the reminiscence area to carry out code execution.
Animation timelines, a part of Firefox’s Internet Animations API, are a mechanism that controls and synchronizes animations on internet pages.
“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines,” reads the safety bulletin.
“We have had reports of this vulnerability being exploited in the wild.”
The vulnerability impacts the most recent Firefox (commonplace launch) and the prolonged assist releases (ESR).
Fixes have been made obtainable within the beneath variations, which customers are really helpful to improve to instantly:
- Firefox 131.0.2
- Firefox ESR 115.16.1
- Firefox ESR 128.3.1
Given the lively exploitation standing for CVE-2024-9680 and the shortage of any data on how persons are focused, upgrading to the most recent variations is important.
To improve to the most recent model, launch Firefox and go to Settings -> Assist -> About Firefox, and the replace ought to begin robotically. A restart of this system will likely be required for the modifications to use.
Supply: BleepingComputer
BleepingComputer has contacted each Mozilla and ESET to be taught extra in regards to the vulnerability, the way it’s being exploited, and towards whom, and we are going to replace this submit once we obtain extra data.
All through 2024, to date, Mozilla needed to repair zero-day vulnerabilities on Firefox solely as soon as.
On March 22, the web firm launched safety updates to handle CVE-2024-29943 and CVE-2024-29944, each critical-severity points found and demonstrated by Manfred Paul in the course of the Pwn2Own Vancouver 2024 hacking competitors.
