When visiting the redirect web page, a malicious JavaScript script is executed that exploits a use-after-free reminiscence vulnerability within the Firefox animation timelines function. The flaw, now tracked as CVE-2024-9680, was patched on Oct. 9, in the future after the ESET researchers reported it to Mozilla. The vulnerability is rated vital with a rating of 9.8 and ends in code execution contained in the Firefox content material course of, specifically a malicious DLL library on this case.
“Mozilla patched the vulnerability in Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1 on October 9, 2024,” the ESET researchers stated. “Basically, the tips that could the animation objects dealt with by the timeline at the moment are applied by way of reference-counting pointers (RefPtr), as steered by the diff, which prevents the animations from being freed, since AnimationTimeline::Tick will nonetheless maintain a reference to them.”
A privilege escalation flaw in Home windows Job Scheduler
The Firefox content material course of is sandboxed, having an untrusted privilege stage, which signifies that the attackers couldn’t execute code on the underlying working system with simply the Firefox vulnerability alone.
