OP 16 October, 2024 - 06:28 AM
It has become known that the vulnerability CVE-2024-9680 fixed last week in Firefox could be used against Tor browser users.
Let us recall that the problem was discovered by ESET specialist Damien Schaeffer and was a use-after-free problem in Animation timelines. Animation timelines are part of the Firefox Web Animations API, and this mechanism is responsible for managing animation and synchronizing it on web pages.
The developers released an emergency patch and warned that due to this vulnerability, an attacker could achieve arbitrary code execution while working with content. At that time, no more detailed information was reported either about the bug itself or about the attacks in which it was used.
The problem was fixed in the following versions of the browser: Firefox 131.0.2, Firefox ESR 115.16.1 and Firefox ESR 128.3.1.
As Mozilla has now reported, ESET specialists gave them a “combat” exploit for CVE-2024-9680, which was used by hackers in real attacks.
“The sample sent to us by ESET contained a full chain of exploits that allowed remote code execution on the user’s computer,” the developers write.
Mozilla assembled a team to reverse engineer the exploit and figure out how it works, after which they prepared an emergency patch within one day. The organization’s representatives emphasize that they will continue to analyze the exploit in order to develop additional protection measures for Firefox.
Almost simultaneously, Tor developers reported that, according to Mozilla, this vulnerability was actively used in attacks on Tor browser users.
“Using this vulnerability, an attacker could gain control of the Tor browser, but most likely would not be able to deanonymize you in Tails,” the statement read.
However, the project's blog post was later edited, and the Tor Project clarified that they had no evidence that Tor Browser users were intentionally attacked using CVE-2024-9680.
However, the bug did affect the Firefox-based Tor Browser, and the developers emphasized that the issue was fixed in Tor Browser versions 13.5.7, 13.5.8 (for Android), and 14.0a9.
https://www.youtube.com/watch?v=2RmUMmUj3u8
opinion? rce when processing css, that is, it worked in tor with noscript
![[Image: 1729050381556.png]](https://i.ibb.co/CmBpHX7/1729050381556.png)
The vulnerability still works in the beta release channel of thunderbird
Let us recall that the problem was discovered by ESET specialist Damien Schaeffer and was a use-after-free problem in Animation timelines. Animation timelines are part of the Firefox Web Animations API, and this mechanism is responsible for managing animation and synchronizing it on web pages.
The developers released an emergency patch and warned that due to this vulnerability, an attacker could achieve arbitrary code execution while working with content. At that time, no more detailed information was reported either about the bug itself or about the attacks in which it was used.
The problem was fixed in the following versions of the browser: Firefox 131.0.2, Firefox ESR 115.16.1 and Firefox ESR 128.3.1.
As Mozilla has now reported, ESET specialists gave them a “combat” exploit for CVE-2024-9680, which was used by hackers in real attacks.
“The sample sent to us by ESET contained a full chain of exploits that allowed remote code execution on the user’s computer,” the developers write.
Mozilla assembled a team to reverse engineer the exploit and figure out how it works, after which they prepared an emergency patch within one day. The organization’s representatives emphasize that they will continue to analyze the exploit in order to develop additional protection measures for Firefox.
Almost simultaneously, Tor developers reported that, according to Mozilla, this vulnerability was actively used in attacks on Tor browser users.
“Using this vulnerability, an attacker could gain control of the Tor browser, but most likely would not be able to deanonymize you in Tails,” the statement read.
However, the project's blog post was later edited, and the Tor Project clarified that they had no evidence that Tor Browser users were intentionally attacked using CVE-2024-9680.
However, the bug did affect the Firefox-based Tor Browser, and the developers emphasized that the issue was fixed in Tor Browser versions 13.5.7, 13.5.8 (for Android), and 14.0a9.
https://www.youtube.com/watch?v=2RmUMmUj3u8
opinion? rce when processing css, that is, it worked in tor with noscript
The vulnerability still works in the beta release channel of thunderbird