Mozilla fixes Firefox zero-day actively exploited in attacks

Original Article ↗ Hacker News Discussion ↗

Vulnerability characteristics

  • Reported as a use-after-free in Firefox “Animation timelines,” enabling code execution in the content process and known to be exploited in the wild.
  • Some discussion on whether JavaScript is required:
    • One side asserts JS is needed, citing that Firefox lacks CSS animation-timeline and that the relevant code is only reachable via the JS AnimationTimeline API and a preference flag.
    • Another asks for explicit citations; this remains somewhat indirect but broadly accepted in the thread.
  • Compared by some to media-decoder bugs (e.g., libwebp), with concern that non‑JS attack surfaces are harder to mitigate.

Scope, versions, and related projects

  • NVD entry states it affects Firefox < 131.0.2, ESR < 128.3.1, and ESR < 115.16.1.
  • There’s curiosity about when it was introduced; lower bound is unclear, though one commenter notes it logically can’t predate the timeline API.
  • Likely impacts Thunderbird and Tor Browser; linked Tor bug and Red Hat Bugzilla activity support this.

Mitigations, hardening, and sandboxing

  • Users share uBlock Origin filters to disable CSS animations and visual effects; unclear if this would block this specific exploit.
  • Suggestions to flip dom.animations-api.timelines.enabled if relevant.
  • Recommended OS-level isolation: namespaces, firejail, and especially Qubes OS.
  • Debate over Flatpak:
    • Some say Flatpak/firejail would have mitigated this.
    • Others argue Flatpak is “not a real security sandbox” or is easy to escape; counterpoints note limited home access and Wayland/portal isolation.
  • Containers vs VMs: containers are criticized as sharing the same kernel; VMs are seen as stronger but costlier.

Languages, Rust, and browser design

  • Many argue Rust or other memory-safe languages could prevent use-after-free; others note real-world Rust code often needs unsafe.
  • Discussion of managed languages (Java/C#) for browsers:
    • Pros: safety, large ecosystems.
    • Cons: GC pauses, platform ties, difficulty matching low-level performance and concurrency needs.
  • Firefox already has ~11–12% Rust, but growth stalled after Mozilla layoffs; some see this, plus Servo’s de-funding, as mismanagement.

Updates and distribution quirks

  • Fix shipped quickly (hours after report, per a linked post).
  • Snap Firefox on Ubuntu may appear “up to date” while running; users must restart Firefox for snap refresh to actually switch to the new image.