Pierluigi Paganini October 10, 2024

Mozilla released an urgent Firefox update to fix a critical use-after-free vulnerability actively exploited in ongoing attacks.

Mozilla released an emergency security update for its Firefox browser to address a critical use-after-free vulnerability, tracked as CVE-2024-9680, that is actively exploited in attacks.

The vulnerability CVE-2024-9680 resides in Animation timelines. Firefox Animation Timelines is a feature in the Firefox Developer Tools suite that allows developers to inspect, edit, and debug animations directly within the browser. It provides a visual interface for managing animations, including CSS animations and transitions, as well as those created with the Web Animations API.

An attacker could exploit this vulnerability to achieve code execution in the content process.

“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines.” reads the advisory. “We have had reports of this vulnerability being exploited in the wild.”

The vulnerability was discovered by the security researcher Damien Schaeffer from ESET.

The vulnerability impacts Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Mozilla addressed the flaw with the release of Firefox 131.0.2, Firefox ESR 115.16.1, and Firefox ESR 128.3.1.

Experts urge users to upgrade to the latest version as soon as possible.

In March, Mozilla addressed two Firefox zero-day vulnerabilities, respectively tracked as CVE-2024-29944 and CVE-2024-29943, which were exploited during the Pwn2Own Vancouver 2024 hacking competition.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mozilla)