Russian APT RomCom combines Firefox and Windows zero-day flaws in drive-by exploit

When visiting the redirect page, a malicious JavaScript script is executed that exploits a use-after-free memory vulnerability in the Firefox animation timelines feature. The flaw, now tracked as CVE-2024-9680, was patched on Oct. 9, one day after the ESET researchers reported it to Mozilla. The vulnerability is rated critical with a score of 9.8 and results in code execution inside the Firefox content process, namely a malicious DLL library in this case.

“Mozilla patched the vulnerability in Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1 on October 9, 2024,” the ESET researchers said. “Essentially, the pointers to the animation objects handled by the timeline are now implemented through reference-counting pointers (RefPtr), as suggested by the diff, which prevents the animations from being freed, since AnimationTimeline::Tick will still hold a reference to them.”

A privilege escalation flaw in Windows Task Scheduler

The Firefox content process is sandboxed, having an untrusted privilege level, which means that the attackers couldn’t execute code on the underlying operating system with just the Firefox vulnerability alone.