Security vulnerabilities are unfortunately inevitable, whatever program you're using. Software is never perfect, and there will always be an unforeseen flaw that might allow a bad actors to exploit an application and its users. The key is to find those flaws before the bad actors do, and patch them before anyone has the chance to discover how to exploit them.
Unfortunately, it's too late for that when it comes to Firefox's latest security vulnerability. Mozilla, Firefox's developer, announced in a security advisory on Wednesday that it had patched a "critical" flaw with the browser. The company says the issue, CVE-2024-9680, is a "use-after-free" flaw affecting Animation timelines. Use-after-free flaws occur when a system frees up memory, but a program continues to access it anyway. While this can result in general software issues, it also opens the door for bad actors to jump in. In this case, Mozilla confirms the flaw allows an attacker to "achieve code execution," or run their own malicious code, through the exploit.
What makes this particular flaw a critical issue is that it is a zero-day with an active exploit. A zero-day is a flaw discovered before the developer (Mozilla) has a chance to patch it. While not all zero-days are actively exploited, this one has been: Mozilla says they have reports of active exploitation in the wild, although it's not clear by whom or to what degree.
No matter the case, all Firefox users should update their browsers as soon as possible to this latest version, 131.0.2, if they haven't done so already.
How to update Firefox and patch this security vulnerability
To update your Firefox browser, open the app on your computer, then head to Settings. Under General, scroll down to Firefox Updates (or search "Firefox Updates" at the top of the page), then click Check for updates. If one is available, follow the on-screen instructions to install the patch.
