Mozilla, Tor Project Warn Users of Exploited Firefox Flaw

Mozilla is urging Firefox users to apply patches for a critical-severity vulnerability (CVE-2024-9680) that is being exploited in the wild. Firefox users will be prompted by their browsers to update.

The Patches: In a security advisory released Oct. 9, Mozilla said patches are available in Firefox 131.0.2 and Firefox Extended Support Release (ESR) 128.3.1 and 115.16.1. Mozilla also released fixes for the flaw for Thunderbird 115.16, 128.3.1 and 131.0.1. According to its Oct. 10 Thunderbird advisory: “In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.”

Key Details:

• The use-after-free vulnerability exists in the Animation timeline component, and could enable attackers to execute code in the content process 

• Mozilla said that the flaw was first reported by ESET researchers on Oct. 8, who sent a full exploit chain enabling remote code execution on a user’s computer

• The Tor Project also released updates to fix the issue in version 13.5.7 of the Tor Browser, which is a modified version of Firefox designed for use with Tor. The Tor Project said that an attacker could leverage the flaw to “take control of Tor Browser, but probably not deanonymize you in Tails,” a Linux operating system that uses Tor and was recently incorporated into the Tor Project’s structure

Exploit Activity: While Mozilla said it has received reports of the flaw being exploited in the wild, few further details have been released by Mozilla and ESET. While the Tor Project initially stated in an Oct. 10 post that “Mozilla is aware of this attack being used in the wild against Tor Browsers,” the post was updated Oct. 14 to state that the Tor Project has no evidence that Tor Browser users were targeted specifically. On Oct. 15, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-9680 to its Known Exploited Vulnerability catalog, requiring federal agencies to apply patches by Nov. 5.

Vendor Response: After receiving the exploit chain from ESET, Mozilla said that it gathered a team of security, browser, compiler and platform engineers to reverse engineer the exploit and gain a better understanding of its inner workings. Mozilla said it was able to ship a fix 25 hours after initial notice. 

“While we take pride in how quickly we respond to these threats, it’s only part of the process,” according to Tom Ritter with Mozilla in a post on Oct. 11. “While we have resolved the vulnerability in Firefox, our team will continue to analyze the exploit to find additional hardening measures to make deploying exploits for Firefox harder and rarer. It’s also important to keep in mind that these kinds of exploits aren’t unique to Firefox.”