About the Vulnerability
Introduction
Mozilla Firefox is a free and open-source web browser developed by Mozilla.
Animation timelines is a part of the Firefox Web Animations API and serve as a mechanism for controlling and synchronizing animations on web pages.
Summary
On October 10, 2024, Sangfor FarSight Labs received notification that a Mozilla-firefox component contains information of Code Execution Vulnerability (CVE-2024-9680), classified as critical in threat level.
The Animation timelines module in Mozilla Firefox contains a severe vulnerability, which attackers can exploit to execute arbitrary code within the process by using the use-after-free in the Animation timelines. Note: It has been officially reported that this vulnerability is being widely exploited in the wild.
Affected Versions
Firefox < 131.0.2
Firefox ESR < 115.16.1
Firefox ESR < 128.3.1
Solutions
Remediation Solutions
Check the System Version
You can check the system version by clicking “Setting” - “Help” - “About Firefox” in the browser.
Official Solution
Affected users are strongly advised to update the Firefox to the following version:
Firefox 131.0.2
Firefox ESR 115.16.1
Firefox 128.3.1
You can update to the latest version by clicking “Setting” - “Help” - “About Firefox”.
Sangfor Solutions
Risky Assets Detection
Support is provided for the proactive detection of Mozilla-firefox; and it is capable of batch identifying the affected asset conditions of this event in business scenarios. Related products are as follows:
[Sangfor CWPP] has released a detection scheme with Fingerprint ID: 0000322.
[Sangfor Host Security] has released a detection scheme with Fingerprint ID: 0000322.
Timeline
On October 10, 2024, Sangfor FarSight Labs received notification of Mozilla Firefox Animation timelines Remote Code Execution vulnerability.
On October 11, 2024, Sangfor FarSight Labs released a vulnerability alert.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
