firefox

Mozilla fixes critical Firefox bug exploited in the wild

Mozilla has patched a serious security flaw in its Firefox web browser that the company said is being exploited by hackers.

In an advisory on Wednesday, Mozilla stated that the bug, tracked as CVE-2024-9680, could allow attackers to execute malicious code within the browser’s content process — an environment where web content is loaded and rendered.

The vulnerability was discovered by Damien Schaeffer, a researcher from the cybersecurity firm ESET, in the browser’s animation timelines, which control how animations are presented on web pages.

It’s a “use-after-free” flaw that occurs when a program tries to use memory that it has already released or freed. Such memory corruption bugs are typically used to attack and exploit browsers and could potentially give attackers control over the service or further access to the system.

Mozilla said it received reports of this vulnerability being exploited in the wild but did not provide further details.

The exploit requires no user interaction and can be executed over the network with low complexity. It was given a CVSS score of 9.8 out of 10, signifying a critical vulnerability, according to researchers at  Recorded Future. The Record is an editorially independent unit of Recorded Future.

To address this vulnerability, Mozilla recommends that users update their Firefox installations to the most current versions available.

“Ignoring this update could lead to severe security breaches and data compromise within affected organizations,” researchers warned.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.