CVE-2024-9680: Critical Firefox Security Flaw Under Active Attack

Mozilla has urgently released a security update for the Firefox browser to address a critical use-after-free (UAF) vulnerability that is already being actively exploited in attacks.

The zero-day vulnerability, CVE-2024-9680 (CVSS score: 9.8), was discovered by ESET researcher Damien Schaffer and is related to the web page animation management mechanism.

Use-after-free is a type of flaw where a program continues to use memory that has already been freed. This allows attackers to insert malicious data into memory, potentially leading to the execution of arbitrary code. In this case, the vulnerability affects the Web Animations API, which manages animations on web pages.

According to the security bulletin, cybercriminals were able to execute code in the browser’s content process by exploiting a flaw in the animation timeline mechanism. Instances of exploitation have already been recorded.

The vulnerability impacts the latest versions of the Firefox browser, including both standard releases and extended support releases (ESR). To protect users, updates have been issued in the following versions:

• Firefox 131.0.2;
• Firefox ESR 115.16.1;
• Firefox ESR 128.3.1.

Given that the vulnerability is being actively exploited, it is strongly recommended to update the browser immediately. To do this, open Firefox, go to “Settings” -> “Help” -> “About Firefox,” after which the update process will begin automatically. A restart will be required to complete the installation. Details on how attackers are leveraging this flaw remain unavailable, making the update critically important.