Mozilla has issued an emergency security replace for the Firefox browser to deal with a crucial use-after-free vulnerability that’s at the moment exploited in assaults.
The vulnerability, tracked as CVE-2024-9680, and found by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.
One of these flaw happens when reminiscence that has been freed remains to be utilized by this system, permitting malicious actors so as to add their very own malicious information to the reminiscence area to carry out code execution.
Animation timelines, a part of Firefox’s Internet Animations API, are a mechanism that controls and synchronizes animations on internet pages.
“An attacker was in a position to obtain code execution within the content material course of by exploiting a use-after-free in Animation timelines,” reads the security bulletin.
“Now we have had stories of this vulnerability being exploited within the wild.”
The vulnerability impacts the most recent Firefox (customary launch) and the prolonged assist releases (ESR).
Fixes have been made accessible within the beneath variations, which customers are really helpful to improve to instantly:
- Firefox 131.0.2
- Firefox ESR 115.16.1
- Firefox ESR 128.3.1
Given the lively exploitation standing for CVE-2024-9680 and the shortage of any info on how persons are focused, upgrading to the most recent variations is important.
To improve to the most recent model, launch Firefox and go to Settings -> Assist -> About Firefox, and the replace ought to begin routinely. A restart of this system will probably be required for the adjustments to use.
Supply: BleepingComputer
BleepingComputer has contacted each Mozilla and ESET to be taught extra in regards to the vulnerability, the way it’s being exploited, and in opposition to whom, and we’ll replace this put up after we obtain extra info.
All through 2024, up to now, Mozilla needed to repair zero-day vulnerabilities on Firefox solely as soon as.
On March 22, the web firm launched security updates to deal with CVE-2024-29943 and CVE-2024-29944, each critical-severity points found and demonstrated by Manfred Paul throughout the Pwn2Own Vancouver 2024 hacking competitors.
