Zero-click exploit abusing Firefox and Windows zero days

Video

The backdoor can execute commands and lets attackers download additional modules onto the victim’s machine, ESET research finds

26 Nov 2024

ESET researchers have uncovered two previously unknown vulnerabilities in several Mozilla products and in Windows, with both flaws under active exploitation by RomCom, a Russia-aligned group known for opportunistic campaigns against selected business verticals and targeted espionage operations alike.

• CVE-2024-9680 is a use-after-free bug that allows vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser. Mozilla patched the vulnerability on October 9^th, 2024.
• CVE‑2024‑49039 is a privilege escalation bug in Windows that allows code to run outside of Firefox’s sandbox. Microsoft released a patch for this second vulnerability on November 12^th, 2024.

Chaining the two flaws allows bad actors to run arbitrary code in the context of the logged-in user – and without any user interaction – in a so-called zero-click exploit. In campaigns observed by ESET, this led to the installation of RomCom’s eponymous backdoor on the victim’s computer. The backdoor can execute commands and download additional modules to the victim’s machine.

What exactly does the compromise chain involve and what else is there to know about the vulnerabilities and the exploits abusing them? Find out in the video by ESET Chief Security Evangelist Tony Anscombe and be sure to also read the full blogpost.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!