Shortly after Firefox version 131.0.2 started rolling out last week with patches for an exploited zero-day vulnerability, the Tor browser too was updated with the fix.
Tracked as CVE-2024-9680, the exploited bug is described as a high-severity use-after-free issue in Firefox’s Animation timeline that could lead to the execution of arbitrary code.
“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines,” Mozilla explained last week.
The non-profit organization said it had received reports of the vulnerability being exploited in the wild, but did not provide further information on the matter.
Cybersecurity firm ESET, which was credited with reporting CVE-2024-9680, has not responded to a SecurityWeek inquiry on the observed attacks. On Friday, however, Mozilla revealed that ESET had sent it the in-the-wild exploit targeting CVE-2024-9680.
“The sample ESET sent us contained a full exploit chain that allowed remote code execution on a user’s computer,” Mozilla said.
The browser maker immediately convened a team to reverse-engineer the exploit and understand how it worked, and was able to create and deliver a patch within a day.
“With no notice and some heavy reverse engineering required, we were able to ship a fix in 25 hours,” Mozilla explained.
“While we have resolved the vulnerability in Firefox, our team will continue to analyze the exploit to find additional hardening measures to make deploying exploits for Firefox harder and rarer. It’s also important to keep in mind that these kinds of exploits aren’t unique to Firefox,” Mozilla added.
Patches for CVE-2024-9680, which were included in Firefox version 131.0.2 and Firefox ESR versions 128.3.1 and 115.16.1, are rolling out in Tor browser version 13.5.7.
“Using this vulnerability, an attacker could take control of Tor browser, but probably not deanonymize you in Tails,” Tor’s maintainers explained.
In late September, the Tor Project merged with the security-focused OS Tails.
*Update: This article was modified after the Tor Project updated their blog post to remove the incorrect statement that “Mozilla is aware of this attack being used in the wild against Tor Browser users.”
Related: Firefox 131 Update Patches Exploited Zero-Day Vulnerability
Related: 15-Year-Old Python Vulnerability Present in 350,000 Projects Resurrected
Related: WebKit Zero-Day Vulnerability Exploited in Malvertising Operation
