Mozilla has just patched a major vulnerability in its Firefox browser that was apparently being abused in the wild.
In a short security advisory, the company said it discovered a use-after-free vulnerability in Animation timelines.
This bug, tracked as CVE-2024-9680, does not yet have a severity rating, but is being abused to achieve remote code execution (RCE), which means crooks can use it to deploy malware on vulnerable devices, and possibly even take them over, entirely.
Drive-by, XSS, and more
“We have had reports of this vulnerability being exploited in the wild,” Mozilla said in the advisory, adding both Firefox and Firefox Extended Support Release (ESR) are vulnerable, so users are advised to patch to these versions immediately:
Firefox 131.0.2
Firefox ESR 128.3.1, and
Firefox ESR 115.16.1.
There are currently no reports on who, or how, is exploiting this bug, but looking at similar recent issues, there are several ways the vulnerability could be abused, including a watering hole attack targeting specific websites, or a drive-by download campaign that tricks people into visiting the wrong website.
Browsers are an indispensable part of every computer these days, and as such, they are basically omnipresent. This makes them an extremely popular target for cybercriminals looking for a way onto a network and into a device. Firefox, with more than 250 million monthly active users, is one of the most popular products in its category, having been downloaded more than 2 billion times globally.
By hosting vulnerable code, the browser allows threat actors to conduct, among other things, drive-by download attacks. Hackers can inject malicious code into websites or ads they previously compromised. When a user visits such a site, they download malware without even realizing.
Other types of attacks made possible via compromised browsers include cross-site scripting (XSS), buffer overflows, and man-in-the-middle attacks.
Via The Hacker News