ALERT: Update Mozilla Firefox Browser for Zero-Day Vulnerability
Thursday, October 10, 2024
This message is intended for U-M IT staff who are responsible for university devices running the Firefox web browser. It will also be of interest to individuals who have Firefox installed on their own devices.
Summary
Firefox has released security updates to address a high-severity, zero-day vulnerability in the Firefox browser.
Problem
Mozilla has issued an emergency security update for the Firefox browser to address a critical use-after-free vulnerability that is currently exploited in attacks. This type of flaw occurs when memory that has been freed is still used by the program, allowing malicious actors to add their own malicious data to the memory region to perform code execution.
Such remote code execution vulnerabilities could be used by threat actors in several ways, either as part of a watering hole attack targeting specific websites or using a drive-by download campaign that tricks users into visiting bogus websites.
Threats
According to Firefox, an exploit for this vulnerability exists in the wild and reports indicate that the vulnerability is being actively exploited.
Affected Versions
The issue has been addressed in the following versions of the web browser:
- Firefox 131.0.2
- Firefox ESR 128.3.1, and
- Firefox ESR 115.16.1.
Action Items
Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
To begin using the new version:
- Launch Firefox and go to Settings > Help > About Firefox, and the update should start automatically.
- A restart of the program will be required for the changes to apply.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
MiWorkspace machines will be patched as soon as possible. If you have Mozilla Firefox installed on your own devices that are not managed by the university, please follow the steps in Action Items above.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Scams, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.