Critical Vulnerability Discovered in Firefox Exposed to Exploitation
Mozilla has announced the discovery of a significant security vulnerability affecting both Firefox and the Firefox Extended Support Release (ESR). This flaw, tracked as CVE-2024-9680, has been identified as a use-after-free bug within the Animation timeline component and carries a CVSS score of 9.8, indicating a critical risk level. Notably, reports indicate that this vulnerability is currently being exploited in the wild, raising urgent concerns for users.
In an advisory issued on Wednesday, Mozilla confirmed that attackers can exploit this vulnerability for remote code execution in the content process. The advisory highlights the alarming fact that the exploitation of this flaw has already been observed in real-world attack scenarios. Security researcher Damien Schaeffer of the Slovakian cybersecurity firm ESET has been credited with its discovery, underscoring the importance of vigilant security monitoring.
Mozilla has taken swift action to mitigate this risk, releasing updates for affected versions of the browser. Users are urged to upgrade to Firefox 131.0.2, Firefox ESR 128.3.1, or Firefox ESR 115.16.1 to safeguard against potential threats stemming from this vulnerability. While specific tactics used in these attacks remain unconfirmed, such a vulnerability could facilitate various exploitation methods, including watering hole attacks—targeting users through compromised websites—or drive-by download campaigns, which trick users into visiting harmful sites.
Furthermore, the Tor Project has issued an emergency update for the Tor Browser (version 13.5.7) in response to the same CVE. Their advisory emphasizes that, while control of the Tor Browser could be compromised, it is unlikely that user anonymity would be breached in Tails. The Tor Project confirms awareness of the vulnerability being actively exploited against their users.
In a follow-up communication, Mozilla mentioned that ESET provided them with a sample that included a comprehensive exploit chain capable of achieving remote code execution on user devices. Remarkably, Mozilla managed to implement a fix within 25 hours of receiving the responsible disclosure, demonstrating a committed response to the urgency of the situation.
As this incident continues to unfold, business owners should be particularly vigilant. The vulnerability illustrates potential entry points that could be leveraged by adversaries using tactics outlined in the MITRE ATT&CK framework, such as initial access through drive-by downloads and code execution methods. Companies should prioritize immediate updates to their browser software to mitigate exposure to these threats.
In conclusion, while there is no clarification on the identity of the attackers or specifics of their methodologies, the documented exploitation of this vulnerability serves as a critical reminder of the evolving landscape of cybersecurity threats. Staying informed and proactive in applying security updates is essential for any organization aiming to protect its digital assets against such risks.
