CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Firefox 131 Update Patches Exploited Zero-Day Vulnerability

Mozilla has released a Firefox 131 update to resolve CVE-2024-9680, a code execution vulnerability exploited in the wild as a zero-day.

Firefox exploited

Mozilla on Wednesday released a Firefox update that addresses a security defect exploited in the wild as a zero-day for remote code execution.

The vulnerability, tracked as CVE-2024-9680, is a high-severity use-after-free issue in the browser’s Animation timeline, which displays a synchronized graphic representation for all animations applied to a specific element or its children.

“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines,” Mozilla notes in its advisory.

Use-after-free vulnerabilities are memory safety bugs that occur when dynamic memory is incorrectly used during a program’s operation. Because an application reuses or references a memory location after freeing it, an attacker could enter malicious data to that memory location to achieve code execution.

“We have had reports of this vulnerability being exploited in the wild,” the browser maker notes.

Mozilla has not provided details on the observed attacks. Cybersecurity firm ESET has been credited with finding CVE-2024-9680 and SecurityWeek has reached out to the company for information on the attacks.

Security updates have been released for both Firefox and its extended support releases. Firefox version 131.0.2 and Firefox ESR versions 128.3.1 and 115.16.1 contain the patches.

The browser updates are being rolled out only one week after Mozilla pushed Firefox 131 to the stable channel with patches for 13 bugs, and released Firefox ESR versions 128.3 and 115.16 with fixes for several of these flaws.

Advertisement. Scroll to continue reading.

CVE-2024-9680 is the first documented Firefox zero-day of 2024 to be exploited in the wild.

In March, however, Mozilla patched two browser zero-days that were demonstrated at Pwn2Own Vancouver 2024. Tracked as CVE-2024-29943 and CVE-2024-29944, they were discovered by security researcher Manfred Paul, who chained them for sandbox escape and code execution on the system.

Related: Chrome, Firefox Updates Patch High-Severity Vulnerabilities

Related: Copy2Pwn Zero-Day Exploited to Bypass Windows Protections

Related: So Long, Internet Explorer. The Browser Retires Today

Related: Critical Flaw in NSS Cryptographic Library Affects Several Popular Applications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.