×

Irish Information Security Forum

ALERT! Critical Firefox, Tor, Thunderbird vulnerability

Release Date: 14 October 2024

 

A Mozilla vulnerability, tracked as CVE-2024-9680, is a high-severity use-after-free issue in Firefox browser, Tor Browser and Thunderbird app.

The flaw was discovered by a researcher in cybersecurity firm ESET and was first patched by the Mozilla Foundation in its Firefox web browser and Thunderbird apps last week.This type of vulnerability occurs when memory that has been freed is still used by the program, allowing attackers to insert malicious data into the memory region to execute arbitrary code.

 

Description: The vulnerability allows an attacker to execute arbitrary code in the content process by exploiting a use-after-free in Animation timelines.

 

Impact: This vulnerability affects Firefox versions prior to 131.0.2, as well as Firefox Extended Support Release (ESR) versions prior to 128.3.1 and 115.16.12.

 

Exploitation: Reports indicate that this vulnerability has been actively exploited in the wild.

 

Fix: Mozilla has released an emergency security update to address this issue. Users are strongly advised to update their Firefox browsers to the latest version to mitigate the risk.

 

 

Tor logo
Tor Browser
 is a modified version of Firefox specifically designed for use with Tor. The Tor anonymity network issued an emergency patch last week to address this recently-discovered security flaw that was being exploited against its users.

“Using this vulnerability, an attacker could take control of Tor Browser, but probably not deanonymize you in Tails,”   Tor Stated.

"To be clear, the Tor Project has no evidence that Tor Browser users were targeted specifically. The Firefox vulnerability has since been addressed with Tor Browser releases 13.5.7, 13.5.8 (for Android), and 14.0a9.
This release is an emergency release to fix a critical security vulnerability in Tor Browser."

 

 

The CVE-2024-9680 vulnerability is described as a “use-after-free” flaw, which occurs when a program tries to access memory that has already been released or freed.

 

Memory corruption bugs like this are often used to attack browsers, potentially giving attackers control over the service or further access to the system. The exploit requires no user interaction and can be executed over the network with low complexity. It has been assigned a CVSS score of 9.8 out of 10, indicating a critical vulnerability.

 

To address the flaw, both Mozilla and Tor recommend that users update their browser installations to the most current versions available.

 

CVE-2024-9680

 


References:
www.cve.org

www.bleepingcomputer.com

www.mozilla.org
therecord.media

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

Sponsorship of IISF Opportunity
(your logo & profile link here)

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy  - Sponsorship  - Cybersecurity News Index  - Cybersecurity Resources  - X  - Produced by
LinkedIn Twitter