Mozilla, the company behind the browser Firefox, on Wednesday released a fix for a zero-day vulnerability it says has been exploited. NIST lists the vulnerability as CVE-2024-9680And its status is as “Awaiting Analysis”. Firefox users should update latest version Released browsers and extended support to protect your system from potential attacks.
Due to the widespread use of Firefox, this problem poses a significant risk, especially for systems that have not been updated. No specific details have been released about the attackers or exploitation methods, but possible attack vectors include drive-by downloads or malicious websites.
Use-after-free flaw exposes cracks in memory-insecure programming languages
Contents
The attacker found a use-after-free flaw in the Animation Timeline, a part of the API that displays animations on web pages. Use-after-free bug occurs when a connection in dynamic memory is left open later already in useThis can arise from code written in a programming language that does not use automatic memory management, such as C or C++. The US government’s recommendation to stay away from memory-unsafe languages is an attempt to prevent this type of flaw.
WATCH: Microsoft and Apple both released major fixes on this month’s Patch Tuesday.
“We have reports of this vulnerability being exploited in the wild,” Mozilla wrote.
Security engineer Tom Ritter wrote, “Within an hour of receiving the sample, we deployed a team of security, browser, compiler, and platform engineers to reverse engineer the exploit, force it to trigger its payload, and understand how Was called to see how it works.” In Mozilla, a blog post On 11 October.
Ritter said Mozilla implemented the fix in just 25 hours.
“Our team will continue to analyze the exploit to find additional hardening measures to make it harder and rarer for Firefox to exploit it,” he wrote.
This is not the first time Mozilla has experienced a cyber incident. In 2015, a critical flaw allowed attackers to Bypass browser’s same-origin policy and access local files. In 2019, the company fixed a zero-day flaw that attackers were actively using to trick users into taking over systems by visiting malicious sites, underscoring the importance of staying updated with the latest browser versions. .
However, Mozilla issued an advisory for Just another serious vulnerability Last year, Trend Micro discovered an out-of-bounds read-or-write vulnerability in March.
Other web browsers have also been targeted in recent years
Several other web browsers have been exploited by cyber attackers in recent years:
- Google Chrome: Due to its widespread use, Chrome has been a common target. For example, in 2022, Google fixed a serious zero-day vulnerability related to a type confusion bug In the V8 JavaScript engine, which allows arbitrary code execution.
- Microsoft Edge: In 2021, a series of vulnerabilities allowed attackers to conduct remote code execution, including an issue found WebRTC components,
- Apple Safari: As of 2021, Apple has patched A series of zero-day vulnerabilitiesIncluding those used to target iPhone and Mac users through WebKit, the engine that runs Safari.
How to apply mozilla patch
The following versions contain the patch:
- Firefox 131.0.2.
- Firefox ESR 115.16.1.
- Firefox ESR 128.3.1.
To update your browser, go to Settings -> Help -> About Firefox. Reopen the browser after applying the update.
When contacted for comment, Mozilla told us their security blog,
(TagstoTranslate)C++(T)Cybersecurity(T)Firefox(T)Memory-safe programming languages(T)Mozilla(T)Patch(T)Use-after-free vulnerabilities
#Firefox #update #patches #exploited #vulnerability