A recent investigation by ESET has unveiled two critical zero-day vulnerabilities that pose significant risks to users of popular web browsers. These vulnerabilities, if exploited, can lead to remote code execution, allowing malicious actors to gain unauthorized access to systems.
Exploitation by Russian Hackers
Security researchers have identified that a Russian advanced persistent threat (APT) group, known as RomCom, is actively leveraging these vulnerabilities to deploy sophisticated backdoor malware. The first vulnerability, a use-after-free bug found in the animation timeline feature of Firefox, was discovered on October 8 and assigned the identifier CVE-2024-9680. This particular flaw allows the browser to utilize memory that has already been freed, resulting in unpredictable behavior and the potential for executing code within the browser’s restricted environment.
Remarkably, this exploit is classified as “zero-click,” meaning that victims need only visit a malicious website to be compromised, with no further interaction required on their part. ESET has not disclosed the exact number of affected individuals or organizations; however, it has noted that the majority of victims tracked between October 10 and November 4 were located in Europe and North America.
Timely Fixes Available
Fortunately, patches for both vulnerabilities have been available for over a month, with the fix for the Firefox bug released just a day after its discovery. To mitigate the risks associated with these vulnerabilities, users are strongly advised to ensure that their Firefox, Thunderbird, and Tor Browser installations are updated, along with their Windows operating systems.
