Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680)

Mozilla has pushed out an emergency update for its Firefox and Firefox ESR browsers to fix a vulnerability (CVE-2024-9680) that is being exploited in the wild.

About CVE-2024-9680

Reported by ESET malware researcher Damien Schaeffer, CVE-2024-9680 is a use-after-free vulnerability in the browser’s Animation timelines and, according to Mozilla, has been exploited to achieve code execution in the content process.

Additional details about the vulnerability or the attacks are yet to be shared.

According to Mozilla’s engineers, the versions with the fix – Firefox 131.0.2, Firefox ESR 115.16.1 and Firefox ESR 128.3.1 – have been shipped within 25 hours after the vulnerability was reported to them.

How to upgrade your Firefox?

Automatic updates are enabled in Firefox by default, so this latest security update will be delivered to most home users and implemented when they restart their browser.

Those who have turned off the option must check for updates manually (in Settings > General > Firefox Updates), and are urged to upgrade as soon as possible.

cve-2024-9680="" mozilla-firefox-use-after-free-vulnerability="" "="" title="Mozilla Firefox Use-After-Free Vulnerability">CVE-2024-9680" title="Firefox update options">

Firefox update options

In enterprise settings, automatic updates are often disabled by the organization’s IT administrators and employees usually don’t have sufficient privileges to check for and implement updates – it’s the IT department’s responsibility to implement them.

Tor Browser, which includes a modified Mozilla Firefox ESR browser, has also been updated to fix the vulnerability.