Mozilla patches critical Firefox vuln that attackers are already exploiting

Firefixed: It's maintenance time for low-complexity, high-impact security flaw

by · The Register

It's patch time for Firefox fans as Mozilla issues a security advisory for a critical code execution vulnerability in the browser.

Mozilla said CVE-2024-9680 is a use-after-free issue in Animation timelines – the pane within the Firefox browser's Page Inspector that depicts how a given element's animation progresses.

The most alarming aspect of the advisory, however, was Mozilla revealing that the vulnerability is being exploited in the wild already.

Underlining the severity of the vulnerability, the national cybersecurity centers of Canada, Italy, and the Netherlands were compelled to issue their own advisories

Campaigners claim 'Privacy Preserving Attribution' in Firefox does the oppositeTracking alternative is less invasive than other methods, but is opt out by defaultRichard Speed, 25 Sep 2024

The Dutch national cyber center specifically signaled that while the risk of a criminal exploiting CVE-2024-9680 is rated as "medium," the potential damage from a successful attack is "high."

CVE-2024-9680 was discovered by ESET's Damien Schaeffer and the National Vulnerability Database (NVD) assigned it a near-maximum 9.8 (critical) severity rating using the CVSSv3.

Somewhat in opposition to the Dutch cyber cops' take, the NVD's assessment noted that the complexity of the attack was "low" and that no privileges or user interaction was necessary for a successful exploit. The impacts on confidentiality, integrity, and availability were all assessed to be "high."

Likewise, Italy's advisory also rated the vulnerability's impact as "severe," giving it a score of 79.23/100, factoring in the CVSS rating, availability of patches and working exploits, and how prevalent the product is.

A patch is now available for Firefox and Firefox Extended Support Release (ESR). Upgrading to version 131.0.2 in the regular release and versions 115.16.1 or 128.3.1 for Firefox ESR will fix the vulnerability.

Critical vulnerabilities affecting Firefox – which runs on its own Quantum browser engine rather than on Chromium – are relatively rare. This week's patches are the first to address a top-priority bug in Firefox since March, and only a handful have been discovered in the past few years.

Similar to CVE-2024-9680, the vulnerabilities patched in March were both zero-days that allowed attackers to execute JavaScript code. Mozilla classified both as "critical," although one was only given an 8.4 (high) score on the CVSS. ®

Google Chrome gets a mind of its own for some security fixesBrowser becomes more proactive about trimming unneeded permissions and deceptive notificationsThomas Claburn, 12 Sep 2024GNOME 47 brings back some customization options, but let's not go crazyRelease codenamed 'Denver' will hit Fedora and Ubuntu next monthLiam Proven, 30 Sep 2024Apple quietly removed 60 more VPNs from Russian app store, researchers claimiThing-maker is Putin Kremlin repression ahead of privacy, rights orgs argueIain Thomson, 26 Sep 2024The future everyone wanted – in-car ads tailored to your journey and passengersCorrection, no one wanted – well, except perhaps these patent filers at FordBrandon Vigliarolo, 10 Sep 2024