Mozilla patches critical Firefox vuln that attackers are already exploiting

It's patch time for Firefox fans as Mozilla issues a security advisory for a critical code execution vulnerability in the browser.

Mozilla said CVE-2024-9680 is a use-after-free issue in Animation timelines – the pane within the Firefox browser's Page Inspector that depicts how a given element's animation progresses.

The most alarming aspect of the advisory, however, was Mozilla revealing that the vulnerability is being exploited in the wild already.

Underlining the severity of the vulnerability, the national cybersecurity centers of Canada, Italy, and the Netherlands were compelled to issue their own advisories. 

The Dutch national cyber center specifically signaled that while the risk of a criminal exploiting CVE-2024-9680 is rated as "medium," the potential damage from a successful attack is "high."

CVE-2024-9680 was discovered by ESET's Damien Schaeffer and the National Vulnerability Database (NVD) assigned it a near-maximum 9.8 (critical) severity rating using the CVSSv3.

Somewhat in opposition to the Dutch cyber cops' take, the NVD's assessment noted that the complexity of the attack was "low" and that no privileges or user interaction was necessary for a successful exploit. The impacts on confidentiality, integrity, and availability were all assessed to be "high."

Likewise, Italy's advisory also rated the vulnerability's impact as "severe," giving it a score of 79.23/100, factoring in the CVSS rating, availability of patches and working exploits, and how prevalent the product is.

• Google Chrome gets a mind of its own for some security fixes
• GNOME 47 brings back some customization options, but let's not go crazy
• Apple quietly removed 60 more VPNs from Russian app store, researchers claim
• The future everyone wanted – in-car ads tailored to your journey and passengers

A patch is now available for Firefox and Firefox Extended Support Release (ESR). Upgrading to version 131.0.2 in the regular release and versions 115.16.1 or 128.3.1 for Firefox ESR will fix the vulnerability.

Critical vulnerabilities affecting Firefox – which runs on its own Quantum browser engine rather than on Chromium – are relatively rare. This week's patches are the first to address a top-priority bug in Firefox since March, and only a handful have been discovered in the past few years.

Similar to CVE-2024-9680, the vulnerabilities patched in March were both zero-days that allowed attackers to execute JavaScript code. Mozilla classified both as "critical," although one was only given an 8.4 (high) score on the CVSS. ®