Mozilla Confirms Active Attacks on Tor Browser via Firefox Vulnerability
Mozilla has issued an urgent security update for its Firefox browser to address a critical vulnerability that is currently being exploited in the wild. The flaw, tracked as CVE-2024-9680 and assigned a CVSS score of 9.8, could allow attackers to execute arbitrary code on users’ systems.
“Tuesday, around 8 AM Eastern time, we received a heads-up from the Anti-Virus company ESET, who alerted us to a Firefox exploit that had been spotted in the wild,” Mozilla stated in a security advisory. “We want to give a huge thank you to ESET for sharing their findings with us—it’s collaboration like this that keeps the web a safer place for everyone.”
The vulnerability resides in the Animation timeline component, a mechanism within Firefox’s Web Animations API used to control and synchronize animations on web pages. More specifically, it’s a use-after-free bug, a type of memory corruption flaw that occurs when a program continues to use a memory location after it has been freed. This can allow attackers to inject malicious code and take control of the affected system.
“The sample ESET sent us contained a full exploit chain that allowed remote code execution on a user’s computer,” Mozilla explained. “Within an hour of receiving the sample, we had convened a team of security, browser, compiler, and platform engineers to reverse engineer the exploit, force it to trigger its payload, and understand how it worked.”
Despite the lack of advance notice and the complexity of the exploit, Mozilla was able to develop and ship a fix in just 25 hours. This rapid response underscores the severity of the vulnerability and the importance of updating to the latest version of Firefox immediately.
The patched versions are Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1, Thunderbird 115.16, Thunderbird 128.3.1, and Thunderbird 131.0.1.
Worryingly, Mozilla has confirmed that the vulnerability is being actively exploited against Tor Browser users. However, details about the nature of these attacks and the identity of the attackers remain scarce.
