Update Firefox 131 now to patch a critical zero-day security flaw
Yesterday, Mozilla released the Firefox 131.0.2 update in response to reports that Firefox users are actively being hit by a zero-day vulnerability in the browser. Surprisingly, this is the first zero-day vulnerability discovered in Firefox this year.
In Mozilla’s Security Advisory report for the update, the fixed security flaw is listed as CVE-2024-9680, which is a use-after-free (UAF) vulnerability in CSS animations. An attacker who exploits this vulnerability can inject and execute arbitrary malicious code. ESET researcher Damien Schaeffer found the zero-day vulnerability, but Mozilla is keeping a lid on details about the attacks and how widespread they are.
Firefox usually loads updates automatically and installs them when the browser is restarted. If you haven’t updated to 131.0.2 yet, you can use the Help > About Firefox menu to initiate an update check and download the update manually.
Mozilla also released security updates for the two ESR (Extended Support Release) editions of Firefox as well as the Tor Browser: versions Firefox ESR 115.16.1, Firefox ESR 128.3.1, and Tor Browser 13.5.7.
Firefox ESR 115 will continue to be provided with security updates until March 2025 at least, which is the only option for users on outdated versions of Windows and macOS. If you’re on a modern OS version, you’ll get Firefox ESR 128 if you’ve opted for the more-stable ESR branch.
The updated Tor Browser remains based on Firefox ESR 115.16, but Tor developers have backported the fix against CVE-2024-9680 from Firefox 131.0.2 without waiting for an ESR update. This means the Tor Browser is also secure after the update has been installed.
Tip: Don’t just keep your software up to date. For the broadest PC security protections, you should be running reputable antivirus software. Check out our best antivirus software picks if you need one.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.