Mozilla, the company behind the Firefox browser, released a patch on Wednesday for a zero-day vulnerability that it says has been exploited. NIST lists the vulnerability as CVE-2024-9680 and its status as “awaiting analysis.” Firefox users should update to the latest browser version and extended support versions to protect their systems from potential attacks.

Due to the widespread use of Firefox, this issue poses a significant risk, especially for systems that have not been updated. No specific details about the attackers or exploitation methods have been released, but possible attack vectors include drive-by downloads or malicious websites.

Use-after-free flaw highlights cracks in memory-hazardous programming languages

The attacker discovered the use-after-free flaw in animation timelines, which is part of an API that displays animations on web pages. A use-after-free bug occurs when a connection in dynamic memory remains open after it has already been used. This may arise from code written in a programming language that does not use automatic memory management, such as C or C++. The US government’s recommendation to move away from memory-damaging languages ​​is an attempt to prevent this type of breach.

SEE: Microsoft and Apple released major fixes on this month’s Patch Tuesday.

“We have received reports of wild exploitation of this vulnerability,” Mozilla wrote.

“Within an hour of receiving the sample, we assembled a team of security, browser, compiler, and platform engineers to reverse engineer the exploit, forcing it to trigger its payload and understand how it worked,” wrote security engineer Tom Ritter. at Mozilla, in a blog post on October 11.

Mozilla deployed the patch in just 25 hours, Ritter noted.

“Our team will continue to analyze the exploit to find additional hardening measures to make the deployment of exploits for Firefox more difficult and rare,” he wrote.

This is not the first time that Mozilla has faced a cyber incident. In 2015, a critical flaw allowed attackers to bypass the browser’s same-origin policy and access local files. In 2019, the company fixed a zero-day flaw that attackers were actively exploiting to take control of systems by tricking users into visiting malicious sites, highlighting the importance of staying up to date with the latest browser versions.

However, Mozilla has issued an advisory for only one other critical vulnerability in the last year, an out-of-bounds read or write vulnerability discovered by Trend Micro in March.

Other web browsers have been targeted in recent years

Several other web browsers have been exploited by cyberattackers in recent years:

• Google Chrome: Due to its widespread use, Chrome is a common target. For example, in 2022, Google fixed a serious Zero Day vulnerability related to a Type Confusion bug in the V8 JavaScript engine, which allowed arbitrary code execution.
• MicrosoftEdge: In 2021, a series of vulnerabilities allowed attackers to execute code remotely, including an issue found in the WebRTC component.
• Apple-Safari: Since 2021, Apple has patched a series of zero-day vulnerabilities, including those used to target iPhone and Mac users through WebKit, the engine that runs Safari.

How to apply the Mozilla patch

The following versions include the fix:

• Firefox 131.0.2.
• Firefox ESR 115.16.1.
• Firefox ESR 128.3.1.

To update your browser, go to Settings -> Help -> About Firefox. Reopen the browser after applying the update.

When contacted for comment, Mozilla pointed us to its security blog.