Anyone using Firefox, update is advised!
On October 9, Mozilla Foundation Security Advisory announced a critical vulnerability, CVE-2024-9680, that allows attackers to take control of affected systems by exploiting a use-after-free issue in Firefox, leading to potential full system compromise.
Mozilla:
An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.
Issue was fixed in:
- Firefox 131.0.2
- Firefox ESR 115.16.1
- Firefox ESR 128.3.1
What is a use-after-free vulnerability?
A use-after-free (short UAF) occurs when a piece of software continues to use a chunk of memory after it has been freed. So the browser uses memory to store data, and other information needed to perform tasks:
- JavaScript execution. Handling variables, functions, and event listeners.
- DOM management. Storing references to HTML elements, CSS styles.
- Network requests. Managing responses from HTTP requests.
- Rendering. Storing information about how to paint web pages.
- Garbage collection. Automatically freeing up memory that is no longer needed by the JavaScript engine.
But, once a task is complete, such as after an animation finishes or a script is no longer needed, the browser will eventually “free” the memory used for those processes. Letting the computer know that it no longer needs that piece of memory.
In the context of Firefox, due to bug or oversight, the program continues to access memory after it has been freed, leading to this use-after-free vulnerability.
And two main scenarios that can occur are:
Memory Corruption
After memory is freed, it can be reallocated for a different purpose. If the program tries to access or modify the memory that was already freed, it can cause invalid pointers or buffer overflows, resulting in crashes more often than not.
Code Execution
An attacker can manipulate the freed memory by allocating it for malicious purposes. Potentially getting the program to execute their code, leading to hijacking or system control.
Conclusion
If you are using any of the affected versions, it is highly recommended to update to latest as soon as possible, and why not maybe it’s time to find test new browsers.