A severe zero-day vulnerability, CVE-2024-9680, has been discovered in the widely-used Firefox and Tor web browsers, posing significant security risks. This flaw, which has already been exploited in the wild, is a use-after-free vulnerability within Firefox’s Animation timelines. A use-after-free issue occurs when memory that has been freed is still accessed, allowing attackers to inject malicious code, leading to remote code execution on a victim’s machine.
Details of the Vulnerability
This specific zero-day, discovered by ESET security researcher Damien Schaeffer, targets Firefox’s Web Animations API, responsible for synchronizing animations on websites. By exploiting this flaw, attackers can execute arbitrary code, potentially taking over the victim’s browser and, by extension, their system【6†source】【7†source】.
Mozilla’s Response
Mozilla acted swiftly after the vulnerability was reported, issuing updates that patch the flaw in Firefox versions 131.0.2, as well as its Extended Support Releases (ESR) 128.3.1 and 115.16.1. According to Mozilla, the exploit has been observed in real-world attacks, though details regarding the nature of these attacks or the identity of the threat actors remain limited【8†source】.
Impact on Tor Browser
Since the Tor Browser is based on Firefox, it too was vulnerable to the flaw. An emergency patch was rolled out in Tor Browser version 13.5.7, addressing the same CVE-2024-9680 vulnerability. While an attacker could potentially take control of the Tor Browser using this exploit, it is believed that user anonymity on the Tails operating system is not at risk【6†source】【7†source】.
Urgent Action Required
Given the high-severity nature of this exploit (with a CVSS score of 9.8), all users are strongly advised to update their browsers to the latest versions immediately. Firefox and Tor Browser users should prioritize upgrading, as the flaw is being actively exploited in the wild, making them vulnerable to attacks【7†source】.
Mozilla’s quick response, releasing a patch within 25 hours of receiving a full exploit chain from ESET, highlights the seriousness of the vulnerability. This is the first confirmed Firefox zero-day exploit in 2024, following other critical patches earlier this year.
The discovery of CVE-2024-9680 underscores the importance of staying updated with the latest security patches, especially for widely-used browsers like Firefox and Tor. Given the real-world exploitation of this vulnerability, users must ensure they are protected by upgrading to the patched versions immediately.
About the Author
