Mozilla has released an urgent update to address a critical zero-day security flaw in the Firefox browser. The issue, identified as CVE-2024-9680, involves a “use-after-free” vulnerability found in the Animation timelines feature of Firefox. This type of vulnerability occurs when a program tries to use memory that has already been freed, which attackers can exploit to insert harmful code and take control of the system.
Animation timelines are part of Firefox’s Web Animations API, which helps manage animations on websites. According to Mozilla’s security notice, attackers have been able to exploit this zero-day flaw in the wild, leading to code execution within Firefox’s content processes.
The flaw affects both the regular and extended support versions (ESR) of Firefox. Mozilla strongly advises users to update their browsers immediately to the following versions to avoid potential risks:
- Firefox 131.0.2
- Firefox ESR 115.16.1
- Firefox ESR 128.3.1
To update, users can go to the Firefox menu, click on “Settings,” then “Help,” and select “About Firefox.” The update will start automatically, and a browser restart will be required for the changes to take effect.
Zero-day vulnerabilities are security flaws that are discovered and exploited by attackers before developers or companies can issue a fix or update. They are called “zero-day” because the responsible parties have zero days to respond before the exploit is known. These vulnerabilities are particularly dangerous as they can be exploited without the knowledge of users or companies, leading to the execution of malicious code or the theft of sensitive data before security teams can release necessary patches.
This is the second zero-day vulnerability Mozilla has addressed in 2024. Earlier in March, the company fixed two other critical zero-day vulnerabilities (CVE-2024-29943 and CVE-2024-29944) that were exploited during the Pwn2Own Vancouver hacking competition.
