Recently-patched Firefox bug exploited against Tor browser users
The Tor anonymity network issued an emergency patch last week to address a recently-discovered security flaw that was being exploited against its users.
The bug, tracked as CVE-2024-9680, allows attackers to execute malicious code within the browser’s content process — the environment where web content is loaded and rendered.
The flaw was discovered by a researcher from the cybersecurity firm ESET and was first patched by the Mozilla Foundation in its Firefox web browser last week.
According to Tor’s statement, Mozilla is aware of the flaw being actively exploited in the wild against Tor Browser users.
“Using this vulnerability, an attacker could take control of Tor Browser, but probably not deanonymize you in Tails,” the statement reads.
Tails is a privacy-focused operating system that runs from a USB or DVD, leaving no trace on the host computer after shutdown. It routes all internet traffic through the Tor network to ensure anonymity and comes with built-in tools like encrypted email, secure messaging and disk encryption.
The CVE-2024-9680 vulnerability is described as a “use-after-free” flaw, which occurs when a program tries to access memory that has already been released or freed. Memory corruption bugs like this are often used to attack browsers, potentially giving attackers control over the service or further access to the system.
The exploit requires no user interaction and can be executed over the network with low complexity. It has been assigned a CVSS score of 9.8 out of 10, indicating a critical vulnerability.
To address the flaw, both Mozilla and Tor recommend that users update their browser installations to the most current versions available.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.