Help Center
Log in
Log in

How can we help?

Common topics:

AI, Tickets, Agents
Help Center
In this Article:
    1. Atera Support
    2. Library
    3. Special notices

    Mozilla security flaw (CVE-2024-9680)

    Dragos Gabriel Tulbure

    A critical security vulnerability, CVE-2024-9680, has been discovered in Firefox and Firefox Extended Support Release (ESR). This vulnerability is being actively exploited in the wild, putting users at risk of remote code execution (RCE). The issue arises from a use-after-free bug in the Animation timeline component of the browser.

    The vulnerability has been assigned a CVSS score of 9.8, indicating a critical level of severity. Users are strongly advised to update their browsers immediately to the latest versions to mitigate the risk.

     

    Key Details

    • Vulnerability ID: CVE-2024-9680
    • CVSS Score: 9.8 (Critical)
    • Component Affected: Animation timeline component in Firefox
    • Type: Use-after-free vulnerability
    • Exploited in the Wild: Yes
    • Impact: Remote Code Execution (RCE)

     

    Impact of Exploitation

    An attacker can exploit this vulnerability to execute arbitrary code within the content process of the browser. This could potentially allow attackers to install malware or gain unauthorized access to the victim's system.

    Mozilla has stated that they received a "full exploit chain" from ESET, which demonstrates how this vulnerability can be used to perform RCE on a target machine. While specific exploitation methods have not been disclosed, typical exploitation vectors include:

    • Watering hole attacks: Targeting specific websites to infect visitors.
    • Drive-by download campaigns: Tricking users into visiting malicious websites.

     

    Affected Versions

    The following versions of Firefox and Firefox ESR are vulnerable:

    • Firefox 131.0.1 and earlier versions.
    • Firefox ESR 128.3.0 and earlier versions.
    • Firefox ESR 115.16.0 and earlier versions.

     

    Resolved Versions

    The issue has been addressed in the following versions:

    • Firefox 131.0.2
    • Firefox ESR 128.3.1
    • Firefox ESR 115.16.1

    Users should update to these versions or newer to ensure they are protected from the vulnerability.

     

    Recommendations

    To protect against this critical vulnerability, users are advised to:

    1. Update to the latest version of Firefox or Firefox ESR immediately:

      • Firefox users should upgrade to 131.0.2.
      • Firefox ESR users should upgrade to 128.3.1 or 115.16.1.

    2. Check your browser version by navigating to Help > About Firefox to ensure you are using a patched version.

     

    Update Using Atera

    To address the critical vulnerability CVE-2024-9680, you can update Firefox to a secure version directly through Atera. Atera’s Software Update feature, available within IT Automation Profiles, allows you to automate the patching process for all managed devices.

     

    Steps to Update Firefox:

    1. Log in to your Atera account.
    2. Navigate to Admin > IT Automation.
    3. Select the relevant IT Automation Profile for the devices that require the Firefox update.
    4. Ensure that Software Updates is enabled within the profile.
    5. Apply the changes and execute the profile to deploy the Firefox update across all selected devices.

    For detailed steps, please refer to the following article:

     

    This will ensure that all systems are updated to the latest secure version, protecting them from the active exploitation of CVE-2024-9680.

     

    Important note: For Firefox ESR 128.3.1 and Firefox ESR 115.16.1 it is not possible to update using the feature Software Update found within IT Automation profiles, you have the option to upload the latest versions as a script in Atera and run them on your devices either manually or assigning the script in an IT Automation profile.

     

     

    Copyright © Atera Networks Ltd.2023

    apple store app google play app

    AICPA SOC for Service Organizations and ISO 27001 certified