Release Date: 14 October 2024
The flaw was discovered by a researcher in cybersecurity firm ESET and was first patched by the Mozilla Foundation in its Firefox web browser and Thunderbird apps last week.This type of vulnerability occurs when memory that has been freed is still used by the program, allowing attackers to insert malicious data into the memory region to execute arbitrary code.
Description: The vulnerability allows an attacker to execute arbitrary code in the content process by exploiting a use-after-free in Animation timelines.
Impact: This vulnerability affects Firefox versions prior to 131.0.2, as well as Firefox Extended Support Release (ESR) versions prior to 128.3.1 and 115.16.12.
Exploitation: Reports indicate that this vulnerability has been actively exploited in the wild.
Fix: Mozilla has released an emergency security update to address this issue. Users are strongly advised to update their Firefox browsers to the latest version to mitigate the risk.
Tor Browser is a modified version of Firefox specifically designed for use with Tor. The Tor anonymity network issued an emergency patch last week to address this recently-discovered security flaw that was being exploited against its users.
“Using this vulnerability, an attacker could take control of Tor Browser, but probably not deanonymize you in Tails,” Tor Stated."To be clear, the Tor Project has no evidence that Tor Browser users were targeted specifically. The Firefox vulnerability has since been addressed with Tor Browser releases 13.5.7, 13.5.8 (for Android), and 14.0a9.
This release is an emergency release to fix a critical security vulnerability in Tor Browser."
Memory corruption bugs like this are often used to attack browsers, potentially giving attackers control over the service or further access to the system. The exploit requires no user interaction and can be executed over the network with low complexity. It has been assigned a CVSS score of 9.8 out of 10, indicating a critical vulnerability.
To address the flaw, both Mozilla and Tor recommend that users update their browser installations to the most current versions available.
References:
www.cve.org
www.bleepingcomputer.com
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
Information Security
GPO, 1-117
D01 F5P2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Invitations for Annual Sponsorship of IISF has now reopened.
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more