CVE-2024-9680

What is Mozilla Firefox?

Mozilla Firefox is one of the world's most widely used web browsers, with hundreds of millions of users globally. Browser vulnerabilities are extremely high-value targets for threat actors: a successful browser exploit allows execution of attacker code on the victim's computer simply by visiting a malicious website or viewing malicious content — no other action required. Browser exploit chains targeting Firefox, Chrome, and Safari are continuously developed by both nation-state actors and commercial exploit vendors (like NSO Group and Intellexa) for sale to governments and law enforcement. Firefox's use-after-free class of vulnerabilities — where a memory object is used after being freed — can be weaponized to achieve controlled code execution within the browser's content process.

Overview

CVE-2024-9680 is a use-after-free vulnerability (CWE-416) in Mozilla Firefox's CSS Animation timeline implementation. The animation timelines component handles CSS @keyframes and animation properties; a use-after-free occurs when an animation object is freed while still referenced, allowing an attacker to control the freed memory region and corrupt execution flow. ESET discovered this as a zero-day being actively exploited in targeted attacks — they reported it to Mozilla on October 8, 2024 and Mozilla released emergency patches within 24 hours. CVE-2024-9680 was chained with CVE-2024-49039 (a Firefox privilege escalation zero-day in Windows Task Scheduler) to achieve a complete sandbox escape and execute code on the victim's Windows system with elevated privileges.

Affected Versions

Technical Details

Use-after-free in Animation timelines (CWE-416): CSS animations are managed by Firefox's animation engine. A timing issue or incorrect reference counting in the animation timeline code causes an animation-related object to be freed (deallocated) while a reference to it still exists in another part of the engine. When the freed pointer is subsequently dereferenced, the attacker can influence the content of the freed memory (through heap grooming techniques) to control what values are read.

From UAF to code execution:

1. Attacker crafts malicious HTML/CSS/JavaScript that triggers the use-after-free condition
2. Through heap spraying or other memory manipulation, attacker places controlled data at the freed address
3. When Firefox reads from the freed pointer, it reads attacker-controlled values — including fake vtable pointers
4. A subsequent virtual function call via the corrupted vtable pointer redirects execution to attacker-controlled code
5. Code executes within Firefox's content process (sandbox)

CVE-2024-49039 sandbox escape: Firefox runs web content in a sandboxed content process that has limited system privileges. To achieve full system compromise, the attacker chains CVE-2024-9680 (content process RCE) with CVE-2024-49039, a Windows Task Scheduler RPC vulnerability that allows the sandboxed content process to call privileged Windows functions and escape the Firefox sandbox. Together, the two zero-days yield code execution outside the sandbox.

Delivery mechanism: The complete exploit chain is deliverable via a malicious web page — the victim simply needs to visit the attacker's site or view an injected advertisement with Firefox to trigger the exploit.

Discovery

ESET Research (Damien Schaeffer), who discovered both CVE-2024-9680 and CVE-2024-49039 and reported them to Mozilla and Microsoft respectively. ESET published research documenting targeted attacks using the full exploit chain.

Exploitation Context

ESET detected the zero-day being used in targeted attacks — likely by a sophisticated threat actor with access to browser exploit capabilities. CISA added CVE-2024-9680 to the KEV catalog 6 days after the emergency patch, confirming active exploitation. The combination of Firefox content process RCE (CVE-2024-9680) and Windows privilege escalation (CVE-2024-49039) represents a complete, weaponized exploit chain. The ransomwareUse: true flag indicates ransomware operators subsequently adopted the exploit technique after public disclosure.

Remediation

1. Update Firefox to 131.0.2 (or Firefox ESR to 128.3.1/115.16.1) immediately. The CISA deadline was November 5, 2024.
2. Enable automatic browser updates — browser zero-days like this demonstrate why automatic updates must be enabled and not overridden by enterprise policy in ways that delay security patches.
3. Apply Windows security updates for CVE-2024-49039 (Task Scheduler privilege escalation) — patching the sandbox escape companion reduces the impact of any future Firefox content process compromise.
4. Deploy browser isolation (remote browser isolation) for high-risk users who browse untrusted content, particularly executives and sensitive role workers.
5. Monitor endpoint detection for anomalous processes spawned by Firefox — a successful sandbox escape would typically result in child processes spawned by the Firefox content process that are unusual.