See What Foreign Software Is Running in Your Environment
Contact Us
833-292-7732
Back to Blogs Back to Press Releases
Firefox Arbitrary Code Execution: CVE-2024-9680 | ThreatLocker Blog
October 16, 2024
News

Firefox Remote Code Execution: CVE-2024-9680

Table of Contents

Text Link

What is CVE-2024-9680?

CVE-2024-9680 refers to a critical, actively exploited “Use-After-Free” vulnerability in the animation timeline component of Mozilla’s web developer tools, which has the potential to lead to arbitrary code being executed. As a result, this could lead to additional malicious code, such as ransomware, being downloaded from another remote location, and executed on a user’s host. Successful exploitation only requires a user to visit an attacker-controlled web page, with no further user interaction.

Image of Firefox Animation Timeline

What is a “Use-After-Free” Vulnerability?

A “Use-After-Free” vulnerability in software typically occurs when dynamically allocated (heap) memory is released but the pointer, which refers to the location of the released memory is not cleared. If an attacker is able to manipulate the data being passed to the memory location that the pointer still refers to, this results in potentially controllable arbitrary code execution.  

What Software is Affected?

According to NIST (https://nvd.nist.gov/vuln/detail/CVE-2024-9680) the following product versions are affected:

  • Mozilla Firefox: Versions before 131.0.2
  • Mozilla Firefox ESR: Versions before 128.3.1
  • Mozilla Firefox ESR: Versions before 115.16.1
  • Mozilla Thunderbird: Versions before 131.0.1
  • Mozilla Thunderbird: Versions before 115.16.0
  • Mozilla Thunderbird: Versions before 128.3.1
  • Other Firefox (Gecko) based browsers are also affected, such as Tor Browser.

How can CVE-2024-9680 be Leveraged?

CVE-2024-9680 can be leveraged to target high value users through means of phishing, SEO poisoning, malvertising, typosquatting, and punycode domains. Once the attacker-controlled web page loads, the vulnerability can be triggered, potentially leading to malicious code being executed in the context of Firefox or Thunderbird. Attackers from here have the ability to exfiltrate user data, encrypt accessible files, and deploy additional software for persistence or command and control purposes.

What Can You Do to Mitigate CVE-2024-9680?

In cases where deploying patches for the affected products in a timely manner is not possible, migrating to an alternative Chromium based browser, such as Google Chrome, Brave, Microsoft Edge, or Opera can be temporary solution.

Recommendations for ThreatLocker® Customers

Ensure Firefox is Ringfenced™ from interacting with other commonly abused applications, such as PowerShell, Command Prompt, CScript, RegSVR32, RunDLL, Task Scheduler, and Forfiles.

Additionally, create an application control block policy for the built-in “Vulnerable Firefox” application.

Also consider enabling the “Vulnerable Firefox Execution Detected” community detect policy to generate alerts on execution of the respective vulnerable versions.

Recommendations for Everyone

Immediately update Firefox, Firefox ESR, Thunderbird on all systems with any of the affected versions installed.

Author: John Moutos

Recent Posts
ThreatLocker® Top 10 Resources for Cybersecurity Awareness Month
October 9, 2024
ThreatLocker Prepares for Hurricane Milton, Offers Tips to Keep Businesses Safe
October 8, 2024
ThreatLocker Proudly Sponsors UCF Athletics
October 3, 2024
Get a Free Software Audit From ThreatLocker®