The Tor logo

Tor Browser and Firefox users should update to fix actively exploited vulnerability

Mozilla has announced a security fix for its Firefox browser which also impacts the closely related Tor Browser.

The new version fixes one critical security vulnerability which is reportedly under active exploitation. To address the flaw, both Mozilla and Tor recommend that users update their browsers to the most current versions available.

Firefox users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser. Once you’re updated, your version number will be 131.0.3 or higher.

Other users can update their browser by following these instructions:

  • Click the menu button (3 horizontal stripes) at the right side of the Firefox toolbar, go to Help, and select About Firefox/Tor Browser. The About Mozilla Firefox/About Tor Browser window will open.
  • Firefox/Tor Browser will check for updates automatically. If an update is available, it will be downloaded.
  • You will be prompted when the download is complete, then click Restart to update Firefox/Tor Browser.

To update the Tor Browser you have to Connect first or it will fail to fetch the update. The latest version of Tor is 13.5.7.

Tor Browser is up to date
Version number should be 13.5.7 or higher

The vulnerability, tracked as CVE-2024-9680, allows attackers to execute malicious code within the browser’s content process, which is the environment where it loads and renders web content.

About the vulnerability, Mozilla said:

“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.”

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

The Animation Timeline interface of the Web Animations Application Programming Interface (API) represents the timeline of an animation. Where the timeline is a source of time values for synchronization purposes.

Exploitation is said to be relatively easy, requires no user interaction, and can be executed over the network.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.