RomCom exploits Firefox and Windows zero days in the wild (www.welivesecurity.com)

submitted 2 days ago by Joker@sh.itjust.works to c/cybersecurity@infosec.pub

1 comments fedilink hide all child comments

ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit

you are viewing a single comment's thread
view the rest of the comments

[-] Telorand@reddthat.com 12 points 2 days ago

Tldr:

Analysis of the exploit led to the discovery of the vulnerability, now assigned CVE-2024-9680: a use-after-free bug in the animation timeline feature in Firefox. Mozilla patched the vulnerability on October 9th, 2024.

Further analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug, now assigned CVE‑2024‑49039, that allows code to run outside of Firefox’s sandbox. Microsoft released a patch for this second vulnerability on November 12th, 2024.

If you're up to date on your security patches, you're fine.

this post was submitted on 26 Nov 2024

41 points (97.7% liked)

cybersecurity

3306 readers

172 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 1 year ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub