Mozilla patches critical Firefox vuln that attackers are already exploiting
- Reference: 1728559810
- News link: https://www.theregister.co.uk/2024/10/10/firefixed_mozilla_patches_critical_firefox/
- Source link:
Mozilla said CVE-2024-9680 is a use-after-free issue in Animation timelines – the pane within the Firefox browser's Page Inspector that depicts how a given element's animation progresses.
The most alarming aspect of the [1]advisory , however, was Mozilla revealing that the vulnerability is being exploited in the wild already.
[2]
Underlining the severity of the vulnerability, the national cybersecurity centers of Canada, Italy, and the Netherlands were compelled to issue their own [3]advisories .
Campaigners claim 'Privacy Preserving Attribution' in Firefox does the opposite [4]READ MORE
The Dutch national cyber center specifically signaled that while the risk of a criminal exploiting CVE-2024-9680 is rated as "medium," the potential damage from a successful attack is "high."
CVE-2024-9680 was discovered by ESET's Damien Schaeffer and the [5]National Vulnerability Database (NVD) assigned it a near-maximum 9.8 (critical) severity rating using the CVSSv3.
[6]
[7]
Somewhat in opposition to the Dutch cyber cops' take, the NVD's assessment noted that the complexity of the attack was "low" and that no privileges or user interaction was necessary for a successful exploit. The impacts on confidentiality, integrity, and availability were all assessed to be "high."
Likewise, Italy's advisory also rated the vulnerability's impact as "severe," giving it a score of 79.23/100, factoring in the CVSS rating, availability of patches and working exploits, and how prevalent the product is.
[8]Google Chrome gets a mind of its own for some security fixes
[9]GNOME 47 brings back some customization options, but let's not go crazy
[10]Apple quietly removed 60 more VPNs from Russian app store, researchers claim
[11]The future everyone wanted – in-car ads tailored to your journey and passengers
A patch is now available for Firefox and Firefox Extended Support Release (ESR). Upgrading to version 131.0.2 in the regular release and versions 115.16.1 or 128.3.1 for Firefox ESR will fix the vulnerability.
Critical vulnerabilities affecting Firefox – which runs on its own Quantum browser engine rather than on Chromium – are relatively rare. This week's patches are the first to address a top-priority bug in Firefox since March, and only a handful have been discovered in the past few years.
[12]
Similar to CVE-2024-9680, the [13]vulnerabilities patched [14]in March were both [15]zero-days that allowed attackers to execute JavaScript code. Mozilla classified both as "critical," although one was only given an 8.4 (high) score on the CVSS. ®
Get our [16]Tech Resources
[1] https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zwf6KoV9VxBt4bCF0GobcAAAAIs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://advisories.ncsc.nl/advisory?id=NCSC-2024-0403
[4] https://www.theregister.com/2024/09/25/mozilla_noyb_privacy_complaint/
[5] https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zwf6KoV9VxBt4bCF0GobcAAAAIs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zwf6KoV9VxBt4bCF0GobcAAAAIs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/09/12/google_chrome_safety_check/
[9] https://www.theregister.com/2024/09/30/gnome_47/
[10] https://www.theregister.com/2024/09/26/apple_vpn_russia/
[11] https://www.theregister.com/2024/09/10/ford_patent_ads_pii/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zwf6KoV9VxBt4bCF0GobcAAAAIs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://www.mozilla.org/en-US/security/advisories/mfsa2024-16/
[14] https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/
[15] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/
[16] https://whitepapers.theregister.com/
Re: Yes but...
I know that this isn't the most helpful answer, but I updated yesterday and I haven't had any messages. I'm on a Mac - Sonoma 14.7.
Re: Yes but...
i'm on a Mac (M1 15in) running Sequoia 15.0.1
Re: Yes but...
Aah - OK. Sounds like something to look forward to when I eventually upgrade to Sequoia.
Re: Yes but...
It's yet another stupid warning for macOS 15, [1]for any app which does LAN access (as you'd expect a browser to do).
Bet Safari doesn't pop up a scary warning...
[1] https://youtrack.jetbrains.com/articles/SUPPORT-A-564/macOS-15-Local-Network-Privacy-blocks-IDE-connections-to-local-resources-databases-app-servers-etc-unless-explicitly-permitted
Re: Yes but...
Don't see that on my systems – MacOS Ventura mainly – but I do get crashes in accountsd every time I update Safari.
You might want to search for the popup because I'd be very surprised to see this in Firefox, though they do now have a few odd things, and certainly not in a patch release like this.
Re: Yes but...
A quick duckduckgo search indicates macOS Sequoia affecting Firefox and Google Chrome
https://discussions.apple.com/thread/255795609?sortBy=rank
https://forums.macrumors.com/threads/problems-with-firefox-connecting-to-local-sites-on-my-network.2439635/
Re: Yes but...
What were your configuration options?
Re: Yes but...
Sorry but you seem to be alone in this: My Firefox didn't ask that either, so I would assume you have a special, individual problem.
Besides why would a Firefox upgrade change the behavior of Thunderbird? AFAIK they are separate programs, aren't they?
It probably isn't anything nefarious (they wouldn't ask politely, would they), but it likely has nothing to do with the Firefox update itself, especially since the security fix is the only item in the changelog (no new features).
Just appeared in update manager
Firefox updated, all works as it usually does
Yes but...
I just applied the update.
Now my web browser wants to start searching my network for other devices and collect data on them. Why?
Thunderbird is asking the same. This is the text of the popup.
This will allow the app to discover, connect to and collect data from devices on your networks.
My answer is 'Hell NO!'