Content-process only is one bug short of game over
CVE-2024-9680 was a Firefox use-after-free that 'only' ran code in the sandboxed content process. RomCom paired it with a Windows sandbox escape and turned a single page visit into a backdoor. Mozilla shipped the fix in about 25 hours.
When CVE-2024-9680 was disclosed, the line that should have ended the “is this urgent” debate was the one that sounds reassuring: the bug only allows code execution in the browser’s content process. That’s the sandboxed tier, the one Firefox built specifically so a compromised web page can’t reach the rest of your machine. It sounds like a containment story. It wasn’t, because the people exploiting it brought a second bug.
ESET found the vulnerability being exploited in the wild on October 8, 2024, by the Russia-aligned RomCom group (also tracked as Storm-0978, Tropical Scorpius, and UNC2596). The Firefox flaw got the victim’s browser to run attacker code inside the sandbox. A second previously-unknown bug, CVE-2024-49039 in the Windows Task Scheduler (CVSS 8.8), broke out of the sandbox and ran code as the logged-in user. Chained, the two turned a single visit to a malicious page into the RomCom backdoor, with no clicks and no further interaction. That is the entire attack: the user browsed to a site, and the machine was compromised.
What the Firefox bug was
CVE-2024-9680 is a use-after-free (CWE-416) in Firefox’s Animation timeline handling, CVSS 9.8. The mechanism is the classic UAF shape: an animation object gets freed while another code path still holds a pointer to it, and the attacker arranges for the freed memory to be reclaimed with content they control before that dangling pointer is used. Mozilla’s advisory MFSA 2024-51 describes it as code execution in the content process, and CISA added it to the Known Exploited Vulnerabilities catalog on October 15, 2024, with a November 5 deadline and the ransomware-use flag set.
The affected surface is wider than “Firefox.” The fix landed in Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1, plus the corresponding Thunderbird builds, because Thunderbird renders with the same engine. Anything built on that Gecko core during the exposure window was reachable through the same code path.
The pattern worth internalizing
The instinct to deprioritize a “content-process only” browser bug is understandable and, in isolation, defensible. Sandboxes work. The reason they don’t save you here is economic, not technical: a content-process RCE is valuable precisely because the second half of the chain, a sandbox escape, is a known and available commodity to a capable actor. An APT that has a working browser bug is not going to be stopped by needing a privilege-escalation or sandbox-escape primitive too. Those exist, get reused across campaigns, and outlive any single browser patch.
So the honest way to read a browser memory-safety bug with in-the-wild exploitation is not “contained to the sandbox.” It’s “one bug short of full user-context execution, and the attacker who has the first bug almost certainly has the second.” The CVSS 9.8 already reflects this; the sandbox caveat in the prose does not lower it. When a vendor ships an out-of-band fix and a nation-state group is named as the operator, the containment tier is a detail, not a reprieve.
The part that went right
The response is the operationally encouraging half of this story, and it’s worth saying plainly because this section usually documents failures. ESET reported the bug to Mozilla, and Mozilla shipped patched builds within roughly 25 hours, the kind of emergency release Mozilla internally calls a chemspill. For an actively-exploited zero-day in the most exposed software on an endpoint, a one-day turnaround is close to the ceiling of what’s achievable. Microsoft patched the Windows half, CVE-2024-49039, through update KB5046612.
The catch is that a fast vendor patch only helps you if your fleet actually takes it, and this is where browser patching quietly diverges from the rest of patch management. Consumer Firefox auto-updates aggressively and most home users were protected almost immediately. Managed environments are the risk pocket: organizations that pin Firefox ESR, disable background updates through policy, or gate browser updates behind a change window can sit on a known-exploited browser RCE for days or weeks after the fix exists, which is the exact opposite of the threat model. The ESR channel exists to give enterprises stability, and the cost of that stability is that someone has to actively pull security releases rather than assume the browser handled it.
What to do
- Confirm your real installed version, not your baseline. You need Firefox 131.0.2 or later, ESR 128.3.1 or later, or ESR 115.16.1 or later. If you run a managed ESR fleet, check what the endpoints actually report, because a policy that defers updates will happily report “managed” while leaving the old build in place.
- Patch the Windows half too. CVE-2024-49039 is the escape that makes the browser bug catastrophic. KB5046612 closes it. Treat the two as one remediation, not two unrelated tickets in two different queues.
- Don’t forget Thunderbird. Same engine, same bug, separate update path. Mail clients are easy to miss in a browser-focused patch sweep.
- Revisit your browser-update policy as a security control. If your environment blocks or delays browser auto-updates, that policy is now a documented exposure window for the single most-targeted application on the endpoint. Decide deliberately whether the stability you’re buying is worth the days of extra risk on the next chemspill, because there will be a next one.
The reframe is short. “Only the content process” is not a severity downgrade when the attacker holding the bug is the kind who keeps a sandbox escape on the shelf. Read browser memory-safety bugs as full-compromise risk, patch them on the vendor’s clock rather than your maintenance window, and check that the auto-update you’re relying on is actually turned on. We flag the KEV-listed browser bugs the day they land, because the gap between “Mozilla shipped in 25 hours” and “the fleet picked it up” is where these breaches happen.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- NVD CVE-2024-9680 — 2024-10-09
- Mozilla MFSA 2024-51 — 2024-10-09
- ESET: RomCom exploits Firefox and Windows zero days in the wild — 2024-11
- Help Net Security: Actively exploited Firefox zero-day fixed (CVE-2024-9680) — 2024-10-10
- Infosecurity Magazine: RomCom APT leverages zero-day flaws in Firefox, Windows — 2024-11
Share
Related field notes
-
Apache HTTP Server 2.4.49: a path-traversal fix that needed a second fix
CVE-2021-41773 was a path traversal in Apache httpd 2.4.49 that could leak files and, with CGI enabled, reach RCE. The 2.4.50 fix was incomplete, so CVE-2021-42013 followed days later. Two CVEs, one bug, a textbook patch-the-patch.
-
A new critical Confluence RCE stopped being news. That's the problem.
CVE-2022-26134, CVE-2023-22515, CVE-2023-22518, CVE-2023-22527: Atlassian Confluence Server and Data Center has been mass-exploited so many times that the headline repeats. If you run it on the internet, you're operating one of the most reliably-targeted boxes there is.
-
The same handful of mechanisms account for most of the catalog
After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons. They confirm the few recurring mechanisms behind nearly every exploited vulnerability.
One email, every weekday morning.
You're in. Check your inbox.