{"id":702,"date":"2024-10-11T02:11:34","date_gmt":"2024-10-11T02:11:34","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=702"},"modified":"2024-10-11T02:11:34","modified_gmt":"2024-10-11T02:11:34","slug":"mozilla-reveals-critical-vulnerability-in-firefox","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=702","title":{"rendered":"Mozilla reveals critical vulnerability in Firefox"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Infosec leaders are being warned to make sure employees using the Firefox browser have the latest update installed after the discovery of a critical <a href=\"https:\/\/www.csoonline.com\/article\/565704\/zero-days-explained-how-unknown-vulnerabilities-become-gateways-for-attackers.html\">zero-day vulnerability<\/a>.<\/p>\n<p><a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2024-51\/#CVE-2024-9680\">The Mozilla Foundation said Wednesday<\/a> the hole \u2014 CVE-2024-9680 \u2014 is already being exploited by a threat actor or actors to run code if a user goes to a malicious website.<\/p>\n<p>Administrators who don\u2019t allow auto-updating of browsers or allow employees to update their browsers should act fast.<\/p>\n<p>The hole is described by Mozilla as a use-after-free flaw in Animation timelines. That\u2019s tech-speak for\u00a0 exploiting a dynamic memory problem. <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/use-after-free\/#:~:text=Use-After-Free%20(UAF,error%20to%20hack%20the%20program.\">Kaspersky explained <\/a>that if, after freeing a memory location, a program doesn\u2019t clear the pointer to that memory, an attacker can use the error to hack the program. Animation timeline is an interface in Firefox\u2019s Web Animations API that controls and synchronizes the timeline of an animation.<\/p>\n<p>\u201cRemote Code Execution is a valuable tool in an attacker\u2019s arsenal,\u201d Dan Schiappa, Arctic Wolf\u2019s chief product and services officer, said in an email interview, \u201cand leveraging web browsers like Mozilla with millions of users proves yet again that there\u2019s no organization or service that\u2019s too big to target. Threat actors see browsers as an opportunity to exploit unsuspecting users by injecting malicious code into certain ads or websites that users click on.<\/p>\n<p>\u201cWe don\u2019t know how fast this vulnerability is being exploited, but it should serve as a reminder for organizations and users that staying up-to-date with patches and updates is a critical element of a resilient security policy.\u201d<\/p>\n<p>Satnam Narang, a senior staff research engineer at Tenable, noted in an interview that Mozilla hasn\u2019t provided details about the exploit. \u201cUnfortunately, without the full context we don\u2019t know how widespread exploitation was,\u201d he said. \u201cI imagine it\u2019s not super-wide, because if it was, we probably would have heard more about it. So I would err on the side of this likely being used in limited fashion in targeted attacks.\u201d<\/p>\n<p>Most IT administrators have auto-updating enabled by default, he added.<\/p>\n<p>Use-after-free [UAF] vulnerabilities in applications are common, Narang said. In 2023, UAF vulnerabilities were at the top of the US Cybersecurity and Infrastructure Security Agency\u2019s known exploited vulnerabilities [KEV] catalogue. By comparison, MITRE\u2019s wider list of bugs put UAF vulnerabilities in fourth place.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Infosec leaders are being warned to make sure employees using the Firefox browser have the latest update installed after the discovery of a critical zero-day vulnerability. The Mozilla Foundation said Wednesday the hole \u2014 CVE-2024-9680 \u2014 is already being exploited by a threat actor or actors to run code if a user goes to a [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":607,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-702","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/702"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=702"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/702\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/607"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}