Mozilla reveals critical vulnerability in Firefox

Satnam Narang, a senior staff research engineer at Tenable, noted in an interview that Mozilla hasn’t provided details about the exploit. “Unfortunately, without the full context we don’t know how widespread exploitation was,” he said. “I imagine it’s not super-wide, because if it was, we probably would have heard more about it. So I would err on the side of this likely being used in limited fashion in targeted attacks.”

Most IT administrators have auto-updating enabled by default, he added.

Use-after-free [UAF] vulnerabilities in applications are common, Narang said. In 2023, UAF vulnerabilities were at the top of the US Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities [KEV] catalogue. By comparison, MITRE’s wider list of bugs put UAF vulnerabilities in fourth place.