Mozilla warns of a critical security issue in Firefox, so patch immediately
Mozilla just patched a major vulnerability in its Firefox browser that was apparently exploited in the wild.
In a short security advisory, the company said it had discovered a use-after-free vulnerability in Animation timelines.
This bug, tracked as CVE-2024-9680, does not yet have a severity rating, but it is being exploited to perform Remote Code Execution (RCE), meaning scammers can use it to plant malware on vulnerable devices and possibly even take over them over, completely.
Drive-by, XSS and more
“We have had reports of this vulnerability being exploited in the wild,” Mozilla said in the advisory, adding that both Firefox and Firefox Extended Support Release (ESR) are vulnerable, so users are advised to patch to these versions immediately:
Firefox 131.0.2
Firefox ESR 128.3.1 and
Firefox ESR 115.16.1.
There are currently no reports on who or how is exploiting this bug, but looking at similar recent issues, there are several ways the vulnerability can be exploited, including a watering hole attack targeting specific websites, or a drive-by download campaign that entices people to visit the wrong website.
Browsers are now an indispensable part of any computer and as such are basically ubiquitous. This makes them an extremely popular target for cybercriminals looking for access to a network and a device. With more than 250 million monthly active users, Firefox is one of the most popular products in its category and has been downloaded more than 2 billion times worldwide.
By hosting vulnerable code, the browser allows threat actors to conduct drive-by download attacks, among other things. Hackers can inject malicious code into websites or advertisements that they have previously hacked. When a user visits such a site, he downloads malware without even realizing it.
Other types of attacks enabled through compromised browsers include cross-site scripting (XSS), buffer overflows, and man-in-the-middle attacks.
Via The hacker news