Mozilla on Wednesday released a Firefox update that addresses a security defect exploited in the wild as a zero-day for remote code execution.
The vulnerability, tracked as CVE-2024-9680, is a high-severity use-after-free issue in the browser’s Animation timeline, which displays a synchronized graphic representation for all animations applied to a specific element or its children.
“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines,” Mozilla notes in its advisory.
Use-after-free vulnerabilities are memory safety bugs that occur when dynamic memory is incorrectly used during a program’s operation. Because an application reuses or references a memory location after freeing it, an attacker could enter malicious data to that memory location to achieve code execution.
“We have had reports of this vulnerability being exploited in the wild,” the browser maker notes.
Mozilla has not provided details on the observed attacks. Cybersecurity firm ESET has been credited with finding CVE-2024-9680 and SecurityWeek has reached out to the company for information on the attacks.
Security updates have been released for both Firefox and its extended support releases. Firefox version 131.0.2 and Firefox ESR versions 128.3.1 and 115.16.1 contain the patches.
The browser updates are being rolled out only one week after Mozilla pushed Firefox 131 to the stable channel with patches for 13 bugs, and released Firefox ESR versions 128.3 and 115.16 with fixes for several of these flaws.
CVE-2024-9680 is the first documented Firefox zero-day of 2024 to be exploited in the wild.
In March, however, Mozilla patched two browser zero-days that were demonstrated at Pwn2Own Vancouver 2024. Tracked as CVE-2024-29943 and CVE-2024-29944, they were discovered by security researcher Manfred Paul, who chained them for sandbox escape and code execution on the system.
Related: Chrome, Firefox Updates Patch High-Severity Vulnerabilities
Related: Copy2Pwn Zero-Day Exploited to Bypass Windows Protections
Related: So Long, Internet Explorer. The Browser Retires Today
Related: Critical Flaw in NSS Cryptographic Library Affects Several Popular Applications