Mozilla warns of critical Firefox security flaw, so patch immediately

Firefox bug allowed threat actors to run remote code execution attacks against vulnerable endpoints

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Mozilla has just patched a major vulnerability in its Firefoxbrowserthat was apparently being abused in the wild.

In a short security advisory, the company said it discovered a use-after-free vulnerability in Animation timelines.

This bug, tracked as CVE-2024-9680, does not yet have a severity rating, but is being abused to achieve remote code execution (RCE), which means crooks can use it to deploy malware on vulnerable devices, and possibly even take them over, entirely.

Drive-by, XSS, and more

“We have had reports of this vulnerability being exploited in the wild,” Mozilla said in the advisory, adding both Firefox and Firefox Extended Support Release (ESR) are vulnerable, so users are advised to patch to these versions immediately:

Firefox 131.0.2Firefox ESR 128.3.1, andFirefox ESR 115.16.1.

There are currently no reports on who, or how, is exploiting this bug, but looking at similar recent issues, there are several ways the vulnerability could be abused, including a watering hole attack targeting specific websites, or a drive-by download campaign that tricks people into visiting the wrong website.

Browsers are an indispensable part of every computer these days, and as such, they are basically omnipresent. This makes them an extremely popular target for cybercriminals looking for a way onto a network and into a device. Firefox, with more than 250 million monthly active users, is one of the most popular products in its category, having been downloaded more than 2 billion times globally.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

By hosting vulnerable code, the browser allows threat actors to conduct, among other things, drive-by download attacks. Hackers can inject malicious code into websites or ads they previously compromised. When a user visits such a site, they downloadmalwarewithout even realizing.

Other types of attacks made possible via compromised browsers include cross-site scripting (XSS), buffer overflows, and man-in-the-middle attacks.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs