web analytics

Mozilla reveals critical vulnerability in Firefox – Source: www.csoonline.com

Rate this post

Source: www.csoonline.com – Author:

News

10 Oct 20243 mins

Browser SecurityVulnerabilitiesZero-day vulnerability

Browser needs to be updated to fix a zero-day bug that’s already being exploited.

Infosec leaders are being warned to make sure employees using the Firefox browser have the latest update installed after the discovery of a critical zero-day vulnerability.

The Mozilla Foundation said Wednesday the hole — CVE-2024-9680 — is already being exploited by a threat actor or actors to run code if a user goes to a malicious website.

Administrators who don’t allow auto-updating of browsers or allow employees to update their browsers should act fast.

The hole is described by Mozilla as a use-after-free flaw in Animation timelines. That’s tech-speak for  exploiting a dynamic memory problem. Kaspersky explained that if, after freeing a memory location, a program doesn’t clear the pointer to that memory, an attacker can use the error to hack the program. Animation timeline is an interface in Firefox’s Web Animations API that controls and synchronizes the timeline of an animation.

“Remote Code Execution is a valuable tool in an attacker’s arsenal,” Dan Schiappa, Arctic Wolf’s chief product and services officer, said in an email interview, “and leveraging web browsers like Mozilla with millions of users proves yet again that there’s no organization or service that’s too big to target. Threat actors see browsers as an opportunity to exploit unsuspecting users by injecting malicious code into certain ads or websites that users click on.

“We don’t know how fast this vulnerability is being exploited, but it should serve as a reminder for organizations and users that staying up-to-date with patches and updates is a critical element of a resilient security policy.”

Satnam Narang, a senior staff research engineer at Tenable, noted in an interview that Mozilla hasn’t provided details about the exploit. “Unfortunately, without the full context we don’t know how widespread exploitation was,” he said. “I imagine it’s not super-wide, because if it was, we probably would have heard more about it. So I would err on the side of this likely being used in limited fashion in targeted attacks.”

Most IT administrators have auto-updating enabled by default, he added.

Use-after-free [UAF] vulnerabilities in applications are common, Narang said. In 2023, UAF vulnerabilities were at the top of the US Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities [KEV] catalogue. By comparison, MITRE’s wider list of bugs put UAF vulnerabilities in fourth place.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3557973/mozilla-reveals-critical-vulnerability-in-firefox.html

Category & Tags: Browser Security, Vulnerabilities, Zero-day vulnerability – Browser Security, Vulnerabilities, Zero-day vulnerability

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post