Firefox emergency update plugs attacked security leak

There is a gaping security hole in the Firefox web browser, which is already being actively attacked in the wild. Updated browser versions plug the security hole.

The Mozilla developers warn in a security notice that this is a vulnerability in animation timelines. Through a use-after-free gap, attackers have been able to inject and execute code in the content process (CVE-2024-9680, no CVSS value yet, classification by Mozilla programmers as"critical"). With this type of vulnerability, the program code accesses resources that have already been released and whose content is therefore undefined. This can often be misused for code smuggling.

Firefox: Updated versions

However, the developers do not discuss what the attacks actually look like and how to check whether your own web browser has been attacked. According to the Mozilla Foundation, Firefox and Firefox ESR are affected. The versions 131.0.2 of Firefox and the ESR versions 128.3.1 and 115.16.1 are available to seal the gaps. Thunderbird does not seem to be affected, at least Mozilla does not mention the mail program.

The version dialog of Firefox finds and installs the updated software. This can be found by clicking on the settings menu, which is hidden behind the symbol with the three horizontal lines to the right of the address bar, and then clicking on "Help" under "About Firefox".

As the vulnerability is already under attack and is considered critical, Firefox users and admins should quickly check whether the new software version is already installed.

Mozilla has automatically activated the supposedly privacy-friendly advertising playout using "Privacy-Preserving Attribution" (PPA) with the update to Firefox 128, without asking any questions. Noyb has lodged a complaint against this with the Austrian data protection authority.

(dmk)