Sign in / up

back to article Mozilla patches critical Firefox vuln that attackers are already exploiting

It's patch time for Firefox fans as Mozilla issues a security advisory for a critical code execution vulnerability in the browser. Mozilla said CVE-2024-9680 is a use-after-free issue in Animation timelines – the pane within the Firefox browser's Page Inspector that depicts how a given element's animation progresses. The most …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Yes but...

    I just applied the update.

    Now my web browser wants to start searching my network for other devices and collect data on them. Why?

    Thunderbird is asking the same. This is the text of the popup.

    This will allow the app to discover, connect to and collect data from devices on your networks.

    My answer is 'Hell NO!'

    25 1 Reply
    1. Headley_Grange Silver badge
      Reply Icon

      Re: Yes but...

      I know that this isn't the most helpful answer, but I updated yesterday and I haven't had any messages. I'm on a Mac - Sonoma 14.7.

      6 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Yes but...

        i'm on a Mac (M1 15in) running Sequoia 15.0.1

        1 0 Reply
        1. Headley_Grange Silver badge
          Reply Icon

          Re: Yes but...

          Aah - OK. Sounds like something to look forward to when I eventually upgrade to Sequoia.

          2 0 Reply
          1. IvyKing
            Reply Icon

            Re: Yes but...

            Apparently Sequoia does prevent apps from accessing intranet (LAN) hosts unless specifically given permission to do so. I would be curious if it blocks access to the default route address as that is typically used to administer the router. It will be interesting to see how this plays out in the long run especially if the reports about Safari not being affected are true.

            One more reason to wait to update to MacOS 15.x.

            1 0 Reply
            1. Barche
              Reply Icon

              Re: Yes but...

              I think iOS has had this for a long time and I wonder if this is the reason why the Home Assistant app has so much trouble connecting to its server, even though the "local network" permission is on.

              0 0 Reply
      2. Bitbeisser
        Reply Icon

        Re: Yes but...

        Had already updated all my hosts to 103.2 before I even saw this article, and never once saw this message either. On various versions of Windows (server) nor on the latest Linux Mint...

        1 0 Reply
    2. Dan 55 Silver badge
      Reply Icon

      Re: Yes but...

      It's yet another stupid warning for macOS 15, for any app which does LAN access (as you'd expect a browser to do).

      Bet Safari doesn't pop up a scary warning...

      20 0 Reply
    3. Charlie Clark Silver badge
      Reply Icon

      Re: Yes but...

      Don't see that on my systems – MacOS Ventura mainly – but I do get crashes in accountsd every time I update Safari.

      You might want to search for the popup because I'd be very surprised to see this in Firefox, though they do now have a few odd things, and certainly not in a patch release like this.

      1 0 Reply
    4. xanadu42
      Reply Icon

      Re: Yes but...

      A quick duckduckgo search indicates macOS Sequoia affecting Firefox and Google Chrome

      https://discussions.apple.com/thread/255795609?sortBy=rank

      https://forums.macrumors.com/threads/problems-with-firefox-connecting-to-local-sites-on-my-network.2439635/

      8 0 Reply
    5. JulieM Silver badge
      Reply Icon

      Re: Yes but...

      What were your configuration options?

      1 0 Reply
    6. ThatOne Silver badge
      Reply Icon
      WTF?

      Re: Yes but...

      Sorry but you seem to be alone in this: My Firefox didn't ask that either, so I would assume you have a special, individual problem.

      Besides why would a Firefox upgrade change the behavior of Thunderbird? AFAIK they are separate programs, aren't they?

      It probably isn't anything nefarious (they wouldn't ask politely, would they), but it likely has nothing to do with the Firefox update itself, especially since the security fix is the only item in the changelog (no new features).

      9 1 Reply
      1. Richard 12 Silver badge
        Reply Icon

        Re: Yes but...

        It's Sequoia.

        Everything that can access the local network pops up that warning.

        As far as I can tell, it's intended to scare you away from using any browsers other than Safari.

        5 0 Reply
  2. MJI Silver badge

    Just appeared in update manager

    1 0 Reply
  3. MJI Silver badge

    Firefox updated, all works as it usually does

    4 0 Reply
    1. FrogsAndChips Silver badge
      Reply Icon

      Same here.

      It's just a pity that Firefox doesn't give you easy access to the release notes *before* you upgrade, the pop-up only links to the notes from the current version you're using. I'd rather be able to see what's new in the next version, especially the security fixes, before deciding to upgrade now or later.

      8 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        re: what's new in the *next* version

        "I'd rather be able to see what's new in the next version, especially the security fixes, before deciding to upgrade now or later."

        Indeed, it's a bit silly. But the version number is part of the URL and can easily be edited there to point to the newest; I do that routinely.

        5 0 Reply
  4. Ilmarinen

    Yada Yada

    yada yada El Reg "reporter" repeats press releases (several times).

    So What was the actual vulnerability? How did it work? Who was exploiting it? When did it become an issue? Etc., etc...

    AKA 4/10, see me. (but no editor actually said this)

    3 20 Reply
    1. IGotOut Silver badge
      Reply Icon

      Re: Yada Yada

      Maybe if you clicked the fucking links to the advisories you may find the answers. Or is that a bit to challenging l?

      19 4 Reply
      1. HashimFromSheffield
        Reply Icon

        Re: Yada Yada

        Did you actually fucking try doing that? Because the advisory says fucking nothing and the actual bug report is behind fucking authentication that requires more than basic privileges to see. See, I can swear to act hard too.

        2 1 Reply
    2. Dan 55 Silver badge
      Reply Icon

      Re: Yada Yada

      Would you like this info taken out of the article and put in the headline for you?

      9 1 Reply
      1. Confucious2
        Reply Icon

        Re: Yada Yada

        Yes please, I’m to lazy to read the whole thing.

        1 2 Reply
      2. Elongated Muskrat Silver badge
        Reply Icon

        Re: Yada Yada

        He must have the attention span of a

        Oh look, a squirrel

        8 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Yada Yada

          Oh look, a muskrat :-p

          1 0 Reply
  5. O'Reg Inalsin

    That Firefox version is not yet available.

    0 0 Reply
  6. Nick Ryan Silver badge

    Am I missing something?

    I had a look and the animation timeline functionality in Firefox needs to be specifically enabled therefore, by default this issue won't impact users that have not enabled it.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like