We have recently encountered a critical security issue, identified as CVE-2024-9680, that affects several versions of Mozilla Firefox and Thunderbird. An attacker has successfully exploited this vulnerability, which involves a use-after-free issue in Animation timelines, resulting in code execution in the content process. In this post, we will delve into the details of the vulnerability, its exploitation, and the affected versions along with some mitigation steps.

Vulnerability Details

CVE-2024-9680 is a use-after-free vulnerability that resides in the Animation timelines implementation. When an Animation object is created and it refers to a timeline, the Animation object can hold a raw pointer to the timeline. However, if the timeline is deallocated as a part of garbage collection and an Animation object remains, the raw pointer could refer to previously freed memory. An attacker can exploit this situation by manipulating memory to execute arbitrary code within the content process.

The original report of this issue can be found in Mozilla's advisory: Security Advisory 2024-04

This vulnerability has been assigned a CVSS score of 9.8, which indicates a high severity level.

Exploitation

An attacker can exploit the use-after-free vulnerability by creating a specially crafted website containing malicious JavaScript code. If a user visits this website, the malicious JavaScript code will be executed in the context of the content process, potentially allowing the attacker to take control of the system. Reports of this vulnerability being exploited in the wild have been confirmed.

The following code snippet demonstrates how the use-after-free vulnerability can be triggered

// Create a new Animation object with an associated timeline
let animation = new Animation(some_element, some_keyframes, { duration: 100 });

// Force garbage collection, deallocating the timeline's memory, but leaving the animation's raw pointer intact
gc();

// Manipulate freed memory (e.g., by allocating and populating memory with attacker-controlled data)
// ...
// Read or write to the now-freed memory through the animation's raw pointer, potentially resulting in
// code execution within the content process

Mitigation

Since the publication of this vulnerability, Mozilla has issued patches for the affected versions. The following versions and later contain the patch for CVE-2024-9680:

Thunderbird 115.16.

Users can mitigate the impact of this vulnerability by updating Firefox and Thunderbird to the latest versions that include the fix. If updating is not an option, users should be cautious when visiting websites and avoid clicking on suspicious links or accessing untrusted content.

Conclusion

CVE-2024-9680 is a critical use-after-free vulnerability in Animation timelines, allowing an attacker to execute arbitrary code within the content process of Firefox and Thunderbird. Mozilla has released patches for the affected versions, and users are advised to update to the latest versions to protect their systems. It is crucial to stay vigilant against potential exploitation of this vulnerability in the wild and take appropriate precautions when browsing the web.

Timeline

Published on: 10/09/2024 13:15:12 UTC
Last modified on: 10/11/2024 13:15:21 UTC