Mozilla fixes Firefox zero-day actively exploited in attacks

170 pointsposted 10 hours ago
by timokoesters
(bleepingcomputer.com)

111 Comments

statusfailed

9 hours ago

Seems bad. "An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."

See:

- NVD page for CVE-2024-9680: https://nvd.nist.gov/vuln/detail/CVE-2024-9680

- Mozilla security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2024-5...

btdmaster

7 hours ago

Ticket in Tor Browser: https://gitlab.torproject.org/tpo/applications/tor-browser/-...

It seems to be JavaScript-free from the description, which makes it even scarier. Imagine the libwebp decoder bug except embedded media blocking doesn't really work (who blocks CSS?).

mrob

7 hours ago

I block CSS animations:

https://news.ycombinator.com/item?id=33223080

I'd be interested to know if it's sufficient to avoid this recent vulnerability. Either way, it confirms my opinion that UI animations are an anti-feature.

schiffern

5 hours ago

As a uBlock Origin filter (paste in Settings > My Filters):

  ! No CSS animations
  ##*,::before,::after:style(transition:none !important;animation-delay:0ms !important;animation-duration:0ms !important)
  
  ! No CSS animations (different method)
  ##*,::before,::after:style(animation-timing-function:step-start !important;transition-timing-function:step-start !important)
There's other (often perf heavy) CSS clutter that's nice to get rid of:

  ! No image filters
  ##*,::before,::after:style(filter:none !important)
  
  ! No text-shadow
  ##*,::before,::after:style(text-shadow:none !important)
  
  ! No box-shadow
  ##*,::before,::after:style(box-shadow:none !important)

  ! No rounded corners
  ##*,::before,::after:style(border-radius:0px !important)
No rounded corners is fun. You realize many loading spinners are actually CSS rounded corners! Youtube becomes almost unrecognizable — mercifully — especially if you also revert the new TikTok-inspired font:

  ! Un-bold Youtube
  youtube.com##*:style(font-weight:400 !important)

user

6 hours ago

[deleted]

user

8 hours ago

[deleted]

tempaccount420

3 hours ago

Is this karma for dropping Rust? (please don't explain how Rust actually wouldn't fix this)

NicolaiS

6 hours ago

A note for Ubuntu users; if Firefox is installed using `snap` (default) and you run `snap refresh` it will output "All snaps up to date" - but this is not true! You have to close firefox, then run `snap refresh` for snap to upgrade firefox...

guerrilla

6 hours ago

Not an Ubunutu or snap user but curious, why?

fhars

6 hours ago

The snap store also complains regularly that it can't updte the snap store because the snap store is running. It is just terrible software overall.

dspillett

6 hours ago

It doesn't update actively running application containers.

You don't actually need to stop it before running “snap refresh” though, it'll just be out of date as long as it is kept open. Once the application stops running, next time it is run the updated image will be used.

[caveat: I'm not a snap user myself currently, so my information may be inaccurate, take with a pinch of your favourite condiment]

guerrilla

5 hours ago

Interesting. On Arch, Firefox just refuses to keep working after I've updated and requests me to restart it.

AshamedCaptain

4 hours ago

That is Firefox standalone behavior when it detects its files have been changed and differ from the ones loaded by the current instance. In theory, what snap is doing avoid changing files from a program while it is running.

joha4270

5 hours ago

Now, I don't know how your setup looks like, but I don't think anything is distributed as snaps by default on Arch. At least AFAIK its mostly an Ubuntu & derivatives thing.

bmicraft

4 hours ago

Well, it was more broken in more interesting ways before they implemented the forced restart

guerrilla

4 hours ago

Yeah, I remember. That was fun. haha

lifthrasiir

6 hours ago

Neither am I, but seems that snap refreshes can be inhibited programmatically if they may cause some damage when proceeded in the background. So it is technically correct that no snap refreshes can be performed at this point, but the message doesn't clearly state that some refreshes have been inhibited (possibly because there would be tons of them if they are exhaustively listed?).

palata

7 hours ago

> The vulnerability impacts the latest Firefox (standard release) and the extended support releases (ESR).

Does that mean it impacts Firefox 131.0.+, Firefox ESR 115.16.+ and Firefox ESR 128.3.+?

I.e. Firefox 130.0.+ or Firefox ESR 114.+.+ are fine? It's not clear to me when the vulnerability was introduced...

acidburnNSA

5 hours ago

Got my update on Ubuntu this morning, but not seeing any updates for Firefox Android in Google Play yet.

Malidir

8 hours ago

Would Rust and it's memory safety stuff have prevented this?

Squeeze2664

8 hours ago

In some sense, yes. Use-after-free is impossible in safe Rust (if you don't use the unsafe keyword)

ramon156

6 hours ago

I'd argue that this is a good example of how rust could've prevented use-after-free, but y'know, I'd obviously be glazing.

xwolfi

8 hours ago

Java too !

yencabulator

21 minutes ago

The difference being that no one in their right mind is thinking of rewriting a browser in Java to also make it faster, while that's exactly what Servo/Stylo etc are all about.

bubblesnort

8 hours ago

And don't forget Ada.

Yoric

7 hours ago

And OCaml or Haskell :)

sph

7 hours ago

Why go fancy? Even Python saves you from use-after-free.

Yoric

5 hours ago

Come on, I had to outbid Ada somehow :)

For what it's worth, Python was also considered at some point for use in the Firefox codebase. I don't remember the rationale for not adopting it, but I think the idea was "we all like Python, but we already have one messy language (JavaScript), let's not make it two".

jeltz

6 hours ago

Brainfuck too!

high_na_euv

8 hours ago

We need a browser written in managed lang

Even if it means some perf drop, modern hardware will get it back in X years, but safety will be significantly improved

SoothingSorbet

8 hours ago

Why managed when it could be in Rust and have both performance and safety?

The Servo shouldn't have ever been laid off. Yes, I'm aware a team is working on it now, but it isn't up to the same speed and enthusiasm as it was when funded by Mozilla, is it?

high_na_euv

7 hours ago

Im aware of Rust, but there is C#/Java too, with way bigger ecosystem, community and lower entry level.

At the end of the day web browser is just bunch of parsers and compilers working together, and some video/audio

Yoric

3 hours ago

> At the end of the day web browser is just bunch of parsers and compilers working together, and some video/audio

That's... an interesting reduction :) I guess it's about as true as saying that the Linux Kernel is a bunch of I/O and a scheduler?

sunshowers

6 hours ago

The problem with writing a browser in C# or Java is that neither of them can provide anywhere close to the level of thread safety that Rust does.

chii

6 hours ago

both java and c# has thread safety primitives that are also pretty easy to use. E.g., the java concurrency package.

Yoric

3 hours ago

Having done concurrency in Java and Rust, my experience is that Rust's concurrency primitives are an order of magnitude better than Java's. I haven't tested C#'s.

om8

4 hours ago

The cool thing about rust is that it forces you to use thread safety primitives. It's called fearless concurrency

eqvinox

7 hours ago

Servo exists, in Rust. I don't know of any browser engine in C#/Java?

Also, modern browsers as a whole outsize entire OSes (sans browser)...

cesarb

4 hours ago

> I don't know of any browser engine in C#/Java?

A famous one is HotJava. According to Wikipedia, it was also the first web browser to support Java applets.

Yoric

3 hours ago

It was also a mess :)

Ygg2

7 hours ago

> At the end of the day web browser is just bunch of parsers and compilers working together

At the end of the day, OS is just a bunch of command lines being piped together. /sarcasm

Sure, you are just missing: rendering, layout, security, network traffic for sockets, low-level control over hardware, writing a decent enough VM, image processing, video playback, music playback, compression, decompression, self-update, decryption, don't forget add-ons people love add-ons, also add-on security and isolation, web edit and debug tools, network analysis tools, etc.

You know, little things.

high_na_euv

6 hours ago

Why would you need to reinvent networking layer instead of just sending http requests via matrue, battle tested lib available in your programming ecosystem e.g from MSFT? Same with crypto, sockets, compression, etc?

Video and audio I mentioned.

Extensions are tricky, right, but more from privacy standpoint cuz after all you can just expose too much

michaelt

5 hours ago

All the major browsers came out when Windows XP had substantial market share.

So browser vendors couldn't rely on the platform to provide up-to-date SSL support. Or MP3 support. Or MPEG-4 support. Or PDF support. This established the norm that browsers would ship their own video support, their own SSL support, and so on.

And Google realised they like the power this gives them - if Google wants to replace HTTP with QUIC or introduce a new video DRM standard, or a new video codec like VP9 - they don't need the cooperation of anyone outside of Google.

If Chrome bundles DRM support (allowing it to play Netflix), and its own HTTP/2 stack for speed - are you going to release a browser that's slower and doesn't play Netflix? Doesn't sound like a recipe for big market share.

Yoric

3 hours ago

Many of these components have been made part of the ecosystem long after they were introduced in Firefox. Also, the more platform-specific you go for each component, the more you're going to introduce subtle incompatibilities between Firefox running on different versions of Windows or in Firefox for Windows vs. macOS vs. Linux. Also, for a very, very long time, Microsoft had an extremely poor record in terms of security fixes. So what happens when you rely on a Microsoft http library and Microsoft takes a year or two to release a 0-day?

There are benefits to this approach, of course, but the costs would have been consequential.

viraptor

4 hours ago

Browsers are using new http features much earlier than they're available in the system libraries. Browsers supported http2 and 3 before they were standardised enough to include in systems. .net http client still can't even tell you about http2 early hints as far as I understand it.

It's going to be the same for crypto and compression. Systems don't ship with brotli for example. The battle tested implementations come to the browsers first in many cases - or at least they're battle tested at the point anyone starts including them in .net or Java.

high_na_euv

3 hours ago

Sure, not being at the leading edge is a disadvantage, but I guess you could still handle 99.x% of web pages

Ygg2

5 hours ago

> Why would you need to reinvent networking layer instead of just sending http requests via matrue, battle tested lib available in your programming ecosystem e.g from MSFT?

Because modern browsers are essentially cross-compatible OSes.

ftrobro

7 hours ago

Rust was created at Mozilla and currently 11.7% of the Firefox source code is in Rust:

https://4e6.github.io/firefox-lang-stats/

That's down from 12.49% at the peak in July 2020 so I assume the conversion work was halted after the layoffs in 2020:

https://docs.google.com/spreadsheets/d/1flUGg6Ut4bjtyWdyH_9e...

mozvalentin

6 hours ago

Android code was recently imported into mozilla-central which is quite considerable in size.

extraduder_ire

6 hours ago

I was thinking it looked like non-rust code diluted the percentage from the graphs, rather than an amount of rust code being removed.

psychoslave

7 hours ago

[flagged]

sph

7 hours ago

What's that got to do with anything? The CEO situation is awful, but this is just flame bait on your part.

psychoslave

5 hours ago

It’s all have to do with resource management here.

It’s obvious that laying off people that were working hard at making more robust the flagship product of the non-profit wasn’t going to result in a an increase of security in this product. Could the whole lay-off have been prevented? That would require some number analysis here, and insights I lake.

Could at least some termination have been avoided? Freezing the income of the CEO until some agreed metrics improve, and use the amount thus spare to save some employ salary was certainly an option here, wasn’t it?

Claiming "think of my family, look how much more some other people earn elsewhere" while almost simultaneously (at organization level at least) putting so many people in a jobless position, that’s a rather bold cognitive dissonance to throw at the world to my mind.

If pointing out "odd financial priorities" of a non-profit is flame bait, one might wonder how humanity is supposed to mend all organizational dysfunctions it can ever fall into.

redserk

7 hours ago

It’s pretty relevant considering the continued mismanagement of Mozilla.

Nobody would care about Mozilla in 2024 without Firefox, but Firefox development seemingly takes a back seat to a variety of other pet projects that Mozilla’s management tries (and keeps failing, over and over) to chase.

For example, they’ve been trying a pivot to become a community-focused privacy company the last couple of years, yet are fine with implementing ad topics.

AFAIK didn’t Safari advocate against it over privacy concerns? If so, what is Mozilla doing?

Or their partnering with a shady company for removing data from data brokers.

Before the privacy pivot, there was the “we want to make browsing better” pivot with their acquisition of Pocket that went nowhere.

From the outside Mozilla looks like a low-scoring charity grift you’d find on CharityNavigator with how far they deviate from the missions they claim to support.

heresie-dabord

7 hours ago

From the fine article:

> Throughout 2024, so far, Mozilla had to fix zero-day vulnerabilities on Firefox only once.

> On March 22, the internet company released security updates to address CVE-2024-29943 and CVE-2024-29944, both critical-severity issues

Vulnerabilities will be found in everything. Firefox is a fully internationalised application and it is FOSS. The team responsible for Firefox is doing a good job.

high_na_euv

7 hours ago

>Vulnerabilities will be found in everything.

Different ratios, different consequences, etc.

Ygg2

7 hours ago

Sounds like Mozilla should invent a low level language with great safety guarantees, maybe even call it after some form of oxidation process[1]. Then make a browser engine called after a motor[2], and then NOT axe the team responsible for it[3].

I think the last part might be crucial.

[1] https://www.rust-lang.org/

[2] https://servo.org/

[3] https://paulrouget.com/bye_mozilla.html

high_na_euv

7 hours ago

Im aware of Rust, but there is C#/Java too, with way bigger ecosystem, community and lower entry level

Yoric

6 hours ago

A long time ago, the possibility of using Java or C# in Gecko (the core of Firefox) was pondered.

Java was rejected because of the huge memory requirements and the unpredictable (and sometimes lengthy) garbage-collection pauses.

C# was rejected because (at the time) it was too tied to the Microsoft ecosystem and there was no way to get it to build on all the platforms for which Firefox is available. I don't remember garbage-collection pauses being discussed, but they would also be an issue.

m4rtink

6 hours ago

It seems to me that both C#/Java have build their own niches and are hard to impossible to realistically use outside of them, such as to write a web browser.

aryonoco

6 hours ago

I think of browsers these days on par with OSes. I mean, they provide a runtime to execute binary code (wasm). They do process management and scheduling. They do a lot of things which up until 15 years ago, we thought bongs to the realm of Operating Systems.

And history has shown that when you need to do that kind of low level code, it's nigh on impossible to achieve acceptable results with a garbage collected language. Many people tried, none really succeeded.

Hence why Rust was made

fulafel

8 hours ago

They already are partly in JS so there's a smooth path.

(Wasm isn't safe but could be a building block too)

flohofwoe

7 hours ago

I can't find the link right now but I seem to remember that Firefox already replaced some internal native subsystems with the same code compiled to WASM - or maybe even compiled to WASM and then translated back to C, which basically adds a runtime memory safety layer to unsafe C code at the cost of some performance (I think it was a couple of media codecs, but not sure).

Not sure why you think that WASM is less secure than JS though. Even if the WASM heap has internal corruption there's no way for this to do damage outside the WASM sandbox that wouldn't be possible in JS.

fulafel

7 hours ago

If your browser is running in a wasm sandbox, it's a minor comfort that only your browser gets compromised which contains all your creds, etc.

flohofwoe

7 hours ago

Only parts of the browser are running in multiple small isolated WASM sandboxes, those WASM sandboxes are isolated from outside world about as well as if they would run in their own process.

fulafel

7 hours ago

Compartments of internally unsafe sandboxes are what we have now, with browsers employing native-code sandboxes and isolated renderer processes etc. It gets leaky.

moffkalast

7 hours ago

> if it means some perf drop, modern hardware will get it back in X years

I think the unfortunate reality is that other browsers will also take advantage of that speed boost, sites will get even more bloated because they can and it will stay unusable for a long long time.

calyhre

5 hours ago

It's fixed in the developer edition 132.0b5 also if you are wondering

Ennea

4 hours ago

I was indeed wondering. Thank you.

rightbyte

4 hours ago

This seems quite bad, but how practical is it.

Like, the attacker will get write and read access to part or the whole of some other object allocated on the heap, when the memory is reused?

Seems hard to do anything useful with.

jokoon

5 hours ago

I wonder how many skilled black hats work for Iran, China or Russia.

And I can imagine that those countries use front companies to buy exploit.

I just hope that those blackhats understand that their discovery might land in the wrong hands.

I guess those blackhats don't like authoritarian regimes.

user

9 hours ago

[deleted]

user

8 hours ago

[deleted]

nullc

7 hours ago

Regain your ability to sleep at night: https://www.qubes-os.org/

fransje26

7 hours ago

From your experience, what are the system requirements needed to use that as comfortably as your daily driver?

nullc

7 hours ago

They're increased, and some things are just obviously slow at least without extra effort to setup things like gpu pass-through. But is it worth basically turning back the clock on your computer's performance a few years to live in a world where a random click from HN or reddit can't quietly compromise your entire computer? I think so.

Probably the biggest thing is to have a lot of ram, because if you're really using the virtualization it's a bit ram inefficient.

Many things I expected to be hard or annoying just turn out to be non-issues. Qubes has lots of good automation to make it pretty seamless to use multiple VMs.

I was already a fedora user, so I just copied my old home into a new app vm and was instantly productive. Then over time I weaned myself off the monolithic legacy vm into partitioned VMs.

prmoustache

2 hours ago

> "obviously slow at least without extra effort to setup things like gpu pass-through."

AFAIK unless you have a desktop computer filled with gpus on pciexpress slots there is no way you can use GPU passthrough on multiple VMs.

That kind of defeat the purpose of qubes os no?

mikedelfino

5 hours ago

> a world where a random click from HN or reddit can't quietly compromise your entire computer

Doesn't Flatpak also solve this?

creata

7 hours ago

Does virtualization have that big a security benefit over containers? It's certainly a lot more expensive.

rwmj

7 hours ago

Containers share the same kernel as the host. If you're happy sharing millions of lines of monolithic C between trust domains ...

creata

6 hours ago

Yes, but it's a compromise, because I'm not happy spinning up tons of kernels and trying to share access to devices that do not want to be shared, either.

You're right that the trusted codebase is huge, but I sincerely do not know how big a problem this is in practice, hence the question.

nullc

6 hours ago

Qubes does have answers to the device stuff, like sticking network devices in a network vm, which only talks to a firewall vm, which talks to your other vms. There is a reasonable gui interface where you can just plug devices into particular VMs for other things.

In my usage I've never felt the need to share stuff other than the network/sound/storage stuff that qubes make just work. Other devices tend to be just plug them into the particular VM that needs them. YMMV.

I would say that perhaps containers could do just as well, or some other technology. The thing qubes brings to the table is that other people are doing most of the heavy lifting to make a usable desktop out of a highly virtualized system.

There may be path dependent reasons why qubes approach isn't the best possible... but it doesn't matter because so much stuff just working is worth so much. That the compromise we always make when running a distribution... one could meta-x butterfiles and write your own kernel from scratch, or whatever. Or you can run a system created by others. Their system may have decisions you disagree with or are objectively bad, but they saved you 12 months of tinkering with the dynamic linker-- well worth it. :)

For me, the alternative of having my whole laptop compromised by some browser zero day or because a malicious party sent me some malware document was just not viable. I was already carrying two laptops for isolation, and suffering some anxiety from the residual risk. But in my case I've been targeted specifically (due to cryptocurrency bullshit), a friend and former colleague was hit with an astonishingly sophisticated attack that used stuff like BMC vulnerabilities on his web server and then traversal with X11 forwarding and stuff like that all to just break into his desktop.

So I'd probably be using qubes today even if I could only move the mouse with my tongue and the computer was slowed down to the speed for a 486sx. But the incorrect belief that it would be that kinda hit really delayed my adoption. It's a hit, it's real, but at least for my usage it was far smoother than I expected.

I think right now the only obvious wart I experience is that full screen video stutters pretty badly. So I just don't watch video full screen on the laptop now. There are things that might fix it, but I haven't bothered even trying.

There are benefits I didn't expect too. For example, The operating system image in a normal application VM isn't persistent, only your home directory. So you can just scribble all over the OS install in an app vm and it'll go away when you restart it. If you want it to be persistent you change the underlying templatevm. So to get something working I can totally take a chainsaw to my configuration confident I won't get stuck with anything broken. Once I figure out the changes I can apply just the required steps in a template.

Another benefit is that updating fedora versions is a riskless breeze--- install a new template vm. shut down your app vms, click to change template. Restart them if some particular app vm is broken, switch it back and worry about it when you have time.

krageon

6 hours ago

Containers aren't a security measure, so you'd be comparing a stick of wood to a car in this case.

sylware

8 hours ago

until the next one...

It has been like that for most 'internet software' in the last decades, no light at the end of this tunnel.

okasaki

8 hours ago

It references "Bug 1923344" but when I click the link I get "You are not authorized to access bug 1923344."

pja

8 hours ago

> It references "Bug 1923344" but when I click the link I get "You are not authorized to access bug 1923344."

They usually make the bug reports public eventually.

baq

8 hours ago

This is a feature.

user

5 hours ago

[deleted]

loopdoend

8 hours ago

Fixed many months ago just being made public now, according to the bug tracker. Why a 7 month delay?

jokoon

5 hours ago

Because if you make it public too early, it gives some time for attackers to write exploit to target unpatched versions.

Firefox is used in other projects, so the patch needs to spread, and time is needed.

Brybry

8 hours ago

I didn't get the ESR 128.3.1 update until yesterday.

gpvos

8 hours ago

Citation needed.