Mozilla has issued an emergency safety replace for the Firefox browser to deal with a important use-after-free vulnerability that’s at the moment exploited in assaults.
The vulnerability, tracked as CVE-2024-9680, and found by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.
One of these flaw happens when reminiscence that has been freed continues to be utilized by this system, permitting malicious actors so as to add their very own malicious knowledge to the reminiscence area to carry out code execution.
Animation timelines, a part of Firefox’s Internet Animations API, are a mechanism that controls and synchronizes animations on net pages.
“An attacker was capable of obtain code execution within the content material course of by exploiting a use-after-free in Animation timelines,” reads the safety bulletin.
“We have now had studies of this vulnerability being exploited within the wild.”
The vulnerability impacts the most recent Firefox (customary launch) and the prolonged help releases (ESR).
Fixes have been made accessible within the under variations, which customers are really useful to improve to right away:
- Firefox 131.0.2
- Firefox ESR 115.16.1
- Firefox ESR 128.3.1
Given the energetic exploitation standing for CVE-2024-9680 and the shortage of any info on how persons are focused, upgrading to the most recent variations is important.
To improve to the most recent model, launch Firefox and go to Settings -> Assist -> About Firefox, and the replace ought to begin routinely. A restart of this system will probably be required for the modifications to use.
BleepingComputer has contacted each Mozilla and ESET to be taught extra concerning the vulnerability, the way it’s being exploited, and towards whom, and we are going to replace this submit once we obtain extra info.
All through 2024, to this point, Mozilla needed to repair zero-day vulnerabilities on Firefox solely as soon as.
On March 22, the web firm launched safety updates to deal with CVE-2024-29943 and CVE-2024-29944, each critical-severity points found and demonstrated by Manfred Paul throughout the Pwn2Own Vancouver 2024 hacking competitors.