Mozilla patches critical Firefox vuln that attackers are already exploiting

Firefixed: It's maintenance time for low-complexity, high-impact security flaw

It's patch time for Firefox fans as Mozilla issues a security advisory for a critical code execution vulnerability in the browser.

Mozilla said CVE-2024-9680 is a use-after-free issue in Animation timelines – the pane within the Firefox browser's Page Inspector that depicts how a given element's animation progresses.

The most alarming aspect of the advisory, however, was Mozilla revealing that the vulnerability is being exploited in the wild already.

Underlining the severity of the vulnerability, the national cybersecurity centers of Canada, Italy, and the Netherlands were compelled to issue their own advisories

Campaigners claim 'Privacy Preserving Attribution' in Firefox does the opposite

READ MORE

The Dutch national cyber center specifically signaled that while the risk of a criminal exploiting CVE-2024-9680 is rated as "medium," the potential damage from a successful attack is "high."

CVE-2024-9680 was discovered by ESET's Damien Schaeffer and the National Vulnerability Database (NVD) assigned it a near-maximum 9.8 (critical) severity rating using the CVSSv3.

Somewhat in opposition to the Dutch cyber cops' take, the NVD's assessment noted that the complexity of the attack was "low" and that no privileges or user interaction was necessary for a successful exploit. The impacts on confidentiality, integrity, and availability were all assessed to be "high."

Likewise, Italy's advisory also rated the vulnerability's impact as "severe," giving it a score of 79.23/100, factoring in the CVSS rating, availability of patches and working exploits, and how prevalent the product is.

A patch is now available for Firefox and Firefox Extended Support Release (ESR). Upgrading to version 131.0.2 in the regular release and versions 115.16.1 or 128.3.1 for Firefox ESR will fix the vulnerability.

Critical vulnerabilities affecting Firefox – which runs on its own Quantum browser engine rather than on Chromium – are relatively rare. This week's patches are the first to address a top-priority bug in Firefox since March, and only a handful have been discovered in the past few years.

Similar to CVE-2024-9680, the vulnerabilities patched in March were both zero-days that allowed attackers to execute JavaScript code. Mozilla classified both as "critical," although one was only given an 8.4 (high) score on the CVSS. ®

More about

TIP US OFF

Send us news


Other stories you might like