ESET researchers warn of active chained exploits of Firefox and Windows by hacking group
Take action: Update your Firefox, Thunderbird, ToR, Waterfox browsers. Then update your Windows Operating system. Patching of the browsers is trivial, so don't delay.
Learn More
ESET researchers have discovered two significant zero-day vulnerabilities being actively exploited by the Russia-aligned APT group RomCom. These vulnerabilities create a potent zero-click attack chain that requires no user interaction.
- CVE-2024-9680 (CVSS score 9.8) Affects Mozilla products (Firefox, Thunderbird, and Tor Browser) and is a use-after-free bug in Firefox's animation timeline feature that allows code execution within browser context
- CVE-2024-49039 (CVSS score 8.8) is a Windows privilege escalation vulnerability that allows code execution outside Firefox's sandbox and exploits Windows Task Scheduler through undocumented RPC endpoint
- Victim visits compromised website (either directly or through redirection)
- Exploit triggers automatically without user interaction
- Initial shellcode executes in Firefox content process
- Secondary payload escapes Firefox sandbox through Windows vulnerability
- RomCom backdoor is downloaded and executed with elevated privileges
Affected Products and Patched Versions:
- Firefox 131.0.2
- Firefox ESR 115.16.1 and 128.3.1
- Tor Browser 13.5.7
- Tails 6.8.1
- Thunderbird 115.16, 128.3.1, and 131.0.1
Mozilla patched CVE-2024-9680 within 24 hours of disclosure on October 9, 2024. Microsoft released the patch for CVE-2024-49039 on November 12, 2024, through update KB5046612.
The number of potential victims ranges from single digits to 250 per country, primarily located in Europe and North America, based on ESET's telemetry data from October 10 to November 4, 2024.
