Mozilla has released an emergency patch to address an actively exploited zero-day vulnerability in its Firefox browser. The flaw, designated CVE-2024-9880, is due to a use-after-free weakness in the browser’s Animation timelines feature which is used to control and synchronize animations on web pages.
So far, Mozilla has not released any details on how and to what extent the vulnerability is being exploited, only that it could lead to remote code execution (RCE).
The flaw impacts the latest versions of both the standard and extended support editions of Firefox. Mozilla advises impacted users to upgrade to the latest version of their browser as soon as possible.
Source: Bleeping Computer
Analysis
The lack of details from Mozilla regarding CVE-2024-7971 is likely deliberate to limit the vulnerability’s impact and buy time for affected users to install updates. Releasing further details at this time could result in additional threat actors obtaining the information they need to create and exploit the vulnerability.
CVE-2024-9880 marks the third zero-day vulnerability in Firefox discovered in 2024, and the first that has been actively exploited. The first two vulnerabilities were revealed during a hacking competition and patched by Mozilla a day later. That same competition revealed three vulnerabilities in Google Chrome, out of a total of nine found and patched this year. Several of the Chrome vulnerabilities have also been actively exploited by threat actors.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in browsers like Firefox. Field Effect MDR users were automatically notified if a vulnerable version of Firefox is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends that impacted users update to the latest version of Firefox as soon as possible, in accordance with Mozilla’s advisory.
Related Articles
