Mozilla Firefox exploited zero-day: Security Advisory 2024-51 Security Vulnerability fixed in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1
CVE-2024-9680 (9.8 critical) Use-after-free in Animation timeline

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.

See related @BleepingComputer reporting: Mozilla fixes Firefox zero-day actively exploited in attacks

The Canadian Centre for Cyber Security (CCCS) has a useless Mozilla security advisory (AV24-576) which doesn't indicate that this is an actively exploited zero-day. What's the point in an advisory when it doesn't provide the biz?

#zeroday #vulnerability #firefox #mozilla #cve #CVE_2024_9680

The number of CNAs over time (#CVE Numbering Authorities). At 385 right now. Over 20,000 CVEs published in the first half of 2024.

From the "CVE Program and CNA Quarterly Report"

✅ Achievement unlocked - Got a minor credit in a CVE.

mcphail wrote:

"I recently found a bug in Snap, a package manager for Ubuntu and other Linux distributions, which allows the snap to escape the sandbox and run arbitrary code (as the user) if the home permission is set. This exploit could be run on a vanilla install of Ubuntu and was patched in commit aa191f9 on 13th March 2024."

gld.mcphail.uk/posts/explainin…

cve.mitre.org/cgi-bin/cvename.…

#cve #snapcraft #linux

Interesting 🤔 how #CVE are leveraged as resume items, putting #programmers #developers & project leads under pressure by #bogus CVE reports or unnecessary high CVE ratings.

Popular and obscure programs are affected in the #OpenSource #POSIX world e.g #Linux #freeBSD #netBSD #openBSD

#Curl ➰ by #Daniel #Stenberg and #IP by #Fedor #Indutny are popular programs hit by this #phenomena which can lead to unwarranted #panic in the users space

bleepingcomputer.com/news/secu…

Two years ago I chased a ghost #curl #CVE that Apple invented: daniel.haxx.se/blog/2022/03/23…

Fun times.

OK #vulnerability nerds

With the current state of #NVD, there is a need to fill the gap right now. It's expected that anything new happening is going to take months or years, which is longer than the world can wait

Anchore has an open source project we're currently calling "NVD Data Overrides" (naming things is hard)
github.com/anchore/nvd-data-ov…

We're working on adding the same type of thing NVD used to do to the #CVE data. The data is licensed CC0, anyone can use it for anything.

The data repo currently has over 500 enriched IDs (there's a lot more to do, but this is how it starts).

If you're interested in this sort of thing please come help. The vulnerability world is now so big we need to cooperate the same way open source works, nobody can do this alone anymore

GitHub - anchore/nvd-data-overrides

Contribute to anchore/nvd-data-overrides development by creating an account on GitHub.

^GitHub

curl is now a CVE Numbering Authority (CNA) assigning CVE IDs for all for all products made and managed by the curl project. This includes curl, libcurl, and trurl.

cve.org/Media/News/item/news/2…

#CVE #CNA #VulnerabilityManagement #Vulnerability #Cybersecurity

100% agreed that the CVSS scoring system and "assume the worst" guidance makes for scores that do not accurately reflect importance. Especially for very broad-use things.

My take on this is that. like it or not, more open source projects of note need to become "CNA" (certificate numbering authorities) of their own which I understand can given them some control over the content of CVEs filed against their project. cve.org/ProgramOrganization/CN…

#cve #cvss #cna #oss