TechEcho

15 comments

Seems bad. "An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."See:- NVD page for CVE-2024-9680: <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-9680" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-9680</a>- Mozilla security advisory: <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/" rel="nofollow">https://www.mozilla.org/en-US/security/advisories/mfsa2024-5...</a>

评论 #41797037 未加载

评论 #41796929 未加载

评论 #41798747 未加载

KwanEsq7 months ago

The patch: <a href="https://hg.mozilla.org/releases/mozilla-release/rev/d2a21d941ed5a73a37b3446caa4a49e74ffe854b" rel="nofollow">https://hg.mozilla.org/releases/mozilla-release/rev/d2a21d94...</a>

NicolaiS7 months ago

A note for Ubuntu users; if Firefox is installed using `snap` (default) and you run `snap refresh` it will output "All snaps up to date" - but this is not true! You have to close firefox, then run `snap refresh` for snap to upgrade firefox...

评论 #41797385 未加载

评论 #41803711 未加载

pixelesque7 months ago

Redhat bugzilla has a tiny bit more info about dates (looks like very recent?) and is public:<a href="https://bugzilla.redhat.com/show_activity.cgi?id=2317442" rel="nofollow">https://bugzilla.redhat.com/show_activity.cgi?id=2317442</a>and likely affects Thunderbird as well by the looks of things.

Malidir7 months ago

Would Rust and it's memory safety stuff have prevented this?

评论 #41796735 未加载

评论 #41797392 未加载

评论 #41797247 未加载

评论 #41796738 未加载

palata7 months ago

> The vulnerability impacts the latest Firefox (standard release) and the extended support releases (ESR).Does that mean it impacts Firefox 131.0.+, Firefox ESR 115.16.+ and Firefox ESR 128.3.+?I.e. Firefox 130.0.+ or Firefox ESR 114.+.+ are fine? It's not clear to me when the vulnerability was introduced...

评论 #41797305 未加载

评论 #41797598 未加载

high_na_euv7 months ago

We need a browser written in managed langEven if it means some perf drop, modern hardware will get it back in X years, but safety will be significantly improved

评论 #41796980 未加载

评论 #41796803 未加载

评论 #41797148 未加载

评论 #41796988 未加载

评论 #41796956 未加载

评论 #41797137 未加载

评论 #41807707 未加载

评论 #41796935 未加载

calyhre7 months ago

It's fixed in the developer edition 132.0b5 also if you are wondering

评论 #41797984 未加载

rightbyte7 months ago

This seems quite bad, but how practical is it.Like, the attacker will get write and read access to part or the whole of some other object allocated on the heap, when the memory is reused?Seems hard to do anything useful with.

jokoon7 months ago

I wonder how many skilled black hats work for Iran, China or Russia.And I can imagine that those countries use front companies to buy exploit.I just hope that those blackhats understand that their discovery might land in the wrong hands.I guess those blackhats don't like authoritarian regimes.

spirobelv27 months ago

this is the change that fixed it<a href="https://github.com/mozilla/gecko-dev/commit/7a85a111b5f42cdc07f438e36f9597c4c6dc1d48">https://github.com/mozilla/gecko-dev/commit/7a85a111b5f42cdc...</a>

nullc7 months ago

Regain your ability to sleep at night: <a href="https://www.qubes-os.org/" rel="nofollow">https://www.qubes-os.org/</a>

评论 #41797094 未加载

评论 #41797162 未加载

okasaki7 months ago

It references "Bug 1923344" but when I click the link I get "You are not authorized to access bug 1923344."

评论 #41796733 未加载

评论 #41796823 未加载

sylware7 months ago

until the next one...It has been like that for most 'internet software' in the last decades, no light at the end of this tunnel.

loopdoend7 months ago

Fixed many months ago just being made public now, according to the bug tracker. Why a 7 month delay?

评论 #41796786 未加载

评论 #41797665 未加载

评论 #41796785 未加载

评论 #41796750 未加载

评论 #41796776 未加载

评论 #41796926 未加载

15 comments

statusfailed7 months ago

评论 #41797037 未加载

评论 #41796929 未加载

评论 #41798747 未加载

KwanEsq7 months ago

The patch: <a href="https://hg.mozilla.org/releases/mozilla-release/rev/d2a21d941ed5a73a37b3446caa4a49e74ffe854b" rel="nofollow">https://hg.mozilla.org/releases/mozilla-release/rev/d2a21d94...</a>

NicolaiS7 months ago

评论 #41797385 未加载

评论 #41803711 未加载

pixelesque7 months ago

Malidir7 months ago

Would Rust and it's memory safety stuff have prevented this?

评论 #41796735 未加载

评论 #41797392 未加载

评论 #41797247 未加载

评论 #41796738 未加载

palata7 months ago

评论 #41797305 未加载

评论 #41797598 未加载

high_na_euv7 months ago

We need a browser written in managed langEven if it means some perf drop, modern hardware will get it back in X years, but safety will be significantly improved

评论 #41796980 未加载

评论 #41796803 未加载

评论 #41797148 未加载

评论 #41796988 未加载

评论 #41796956 未加载

评论 #41797137 未加载

评论 #41807707 未加载

评论 #41796935 未加载

calyhre7 months ago

It's fixed in the developer edition 132.0b5 also if you are wondering

评论 #41797984 未加载

rightbyte7 months ago

jokoon7 months ago

spirobelv27 months ago

this is the change that fixed it<a href="https://github.com/mozilla/gecko-dev/commit/7a85a111b5f42cdc07f438e36f9597c4c6dc1d48">https://github.com/mozilla/gecko-dev/commit/7a85a111b5f42cdc...</a>

nullc7 months ago

Regain your ability to sleep at night: <a href="https://www.qubes-os.org/" rel="nofollow">https://www.qubes-os.org/</a>

评论 #41797094 未加载

评论 #41797162 未加载

okasaki7 months ago

It references "Bug 1923344" but when I click the link I get "You are not authorized to access bug 1923344."

评论 #41796733 未加载

评论 #41796823 未加载

sylware7 months ago

until the next one...It has been like that for most 'internet software' in the last decades, no light at the end of this tunnel.

loopdoend7 months ago

Fixed many months ago just being made public now, according to the bug tracker. Why a 7 month delay?

Mozilla fixes Firefox zero-day actively exploited in attacks

15 comments

Mozilla fixes Firefox zero-day actively exploited in attacks

15 comments