Behind the Scenes: Fixing an In-the-Wild Firefox Exploit

<!DOCTYPE html> <html lang="en-US" dir="ltr" class="no-js"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="license" href="#license"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="shortcut icon" type="image/png" href="https://blog.mozilla.org/security/wp-content/themes/frontierline/img/favicon.png">   <meta name="title" content="Behind the Scenes: Fixing an In-the-Wild Firefox Exploit – Mozilla Security Blog"> <meta name="description" content="At Mozilla, browser security is a critical mission, and part of that mission involves responding swiftly to new threats. Tuesday, around 8 AM Eastern time, we received a heads-up from ..."> <meta property="og:site_name" content="Mozilla Security Blog"> <meta property="og:url" content="https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit"> <meta property="og:title" content="Behind the Scenes: Fixing an In-the-Wild Firefox Exploit – Mozilla Security Blog"> <meta property="og:description" content="At Mozilla, browser security is a critical mission, and part of that mission involves responding swiftly to new threats. Tuesday, around 8 AM Eastern time, we received a heads-up from ..."> <meta property="twitter:title" content="Behind the Scenes: Fixing an In-the-Wild Firefox Exploit – Mozilla Security Blog"> <meta property="twitter:description" content="At Mozilla, browser security is a critical mission, and part of that mission involves responding swiftly to new threats. Tuesday, around 8 AM Eastern time, we received a heads-up from ..."> <meta name="twitter:card" content="summary"> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <meta name="blog-name" content="Mozilla Security Blog" />  <title>Behind the Scenes: Fixing an In-the-Wild Firefox Exploit - Mozilla Security Blog</title> <link rel="canonical" href="https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/" /> <meta name="twitter:label1" content="Written by" /> <meta name="twitter:data1" content="Tom Ritter" /> <meta name="twitter:label2" content="Est. reading time" /> <meta name="twitter:data2" content="2 minutes" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebPage","@id":"https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/","url":"https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/","name":"Behind the Scenes: Fixing an In-the-Wild Firefox Exploit - Mozilla Security Blog","isPartOf":{"@id":"https://blog.mozilla.org/security/#website"},"datePublished":"2024-10-11T12:14:24+00:00","dateModified":"2024-10-11T13:24:00+00:00","author":{"@id":"https://blog.mozilla.org/security/#/schema/person/f1ac3972e27669cb6373379fd4722da2"},"breadcrumb":{"@id":"https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/"]}]},{"@type":"BreadcrumbList","@id":"https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://blog.mozilla.org/security/"},{"@type":"ListItem","position":2,"name":"Behind the Scenes: Fixing an In-the-Wild Firefox Exploit"}]},{"@type":"WebSite","@id":"https://blog.mozilla.org/security/#website","url":"https://blog.mozilla.org/security/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://blog.mozilla.org/security/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https://blog.mozilla.org/security/#/schema/person/f1ac3972e27669cb6373379fd4722da2","name":"Tom Ritter","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://blog.mozilla.org/security/#/schema/person/image/8c665b379ecb0126402892978ad819df","url":"https://secure.gravatar.com/avatar/3751f274d6ee027c0b815855573c73d5?s=96&d=identicon&r=g","contentUrl":"https://secure.gravatar.com/avatar/3751f274d6ee027c0b815855573c73d5?s=96&d=identicon&r=g","caption":"Tom Ritter"},"sameAs":["https://ritter.vg","https://x.com/tomrittervg"]}]}</script>  <link rel="alternate" type="application/rss+xml" title="Mozilla Security Blog » Feed" href="https://blog.mozilla.org/security/feed/" /> <link rel="alternate" type="application/rss+xml" title="Mozilla Security Blog » Comments Feed" href="https://blog.mozilla.org/security/comments/feed/" /> <link rel='stylesheet' id='wp-block-library-css' href='https://blog.mozilla.org/security/wp-includes/css/dist/block-library/style.min.css?ver=6.3.5' type='text/css' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css' type='text/css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css' type='text/css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css' type='text/css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='frontierline-parent-css' href='https://blog.mozilla.org/security/wp-content/themes/frontierline/style.css?ver=6.3.5' type='text/css' media='all' /> <link rel='stylesheet' id='frontierline-css' href='https://blog.mozilla.org/security/wp-content/themes/frontierline-firefox/style.css?ver=1686919482' type='text/css' media='all' /> <script type='text/javascript' src='https://blog.mozilla.org/wp-content/mu-plugins/mozilla-custom/ga-snippet.js?ver=.4' id='ga-snippet-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/security/wp-includes/js/jquery/jquery.min.js?ver=3.7.0' id='jquery-core-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/security/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1' id='jquery-migrate-js'></script> <link rel="https://api.w.org/" href="https://blog.mozilla.org/security/wp-json/" /><link rel="alternate" type="application/json" href="https://blog.mozilla.org/security/wp-json/wp/v2/posts/2887" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blog.mozilla.org/security/xmlrpc.php?rsd" /> <link rel='shortlink' href='https://blog.mozilla.org/security/?p=2887' /> <link rel="alternate" type="application/json+oembed" href="https://blog.mozilla.org/security/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.mozilla.org%2Fsecurity%2F2024%2F10%2F11%2Fbehind-the-scenes-fixing-an-in-the-wild-firefox-exploit%2F" /> <link rel="alternate" type="text/xml+oembed" href="https://blog.mozilla.org/security/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.mozilla.org%2Fsecurity%2F2024%2F10%2F11%2Fbehind-the-scenes-fixing-an-in-the-wild-firefox-exploit%2F&format=xml" /> </head> <body class="post-template-default single single-post postid-2887 single-format-standard color-scheme-none pattern-none" data-blogname="Mozilla Security Blog"> <nav id="nav-global" class="nav-global can-stick"> <div class="content"> <div class="logo"><a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external" title="Visit mozilla.org">Mozilla</a></div> <div class="nav-mozilla"> <span class="toggle" role="button" aria-controls="nav-mozilla-menu" aria-expanded="false" tabindex="0">Menu</span> <ul class="nav-mozilla-menu" id="nav-mozilla-menu"> <li class="nav-global-health"><a href="https://www.mozilla.org/about/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">About Mozilla</a></li> <li class="nav-global-tech"><a href="https://www.mozilla.org/firefox/products/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">Products</a></li> <li class="nav-global-donate"><a href="https://donate.mozilla.org/?presets=50,30,20,10&amount=30&currency=usd&utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">Give</a></li> <li class="nav-global-firefox"><a href="https://www.mozilla.org/firefox/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">Discover Firefox</a></li> </ul> </div> </div> </nav> <header id="masthead" class="section"> <div class="site-id"> <div class="site-title-wrap content"> <a href="https://blog.mozilla.org/security/" rel="home" title="Go to the front page"> <h4 id="site-title"><span>Mozilla Security Blog</span></h4> </a> </div> </div> </header> <div class="site-wrap"> <nav id="nav-util" class="can-stick "> <ul class="content"> <li class="nav-util-search"> <form id="search" class="fm-search" method="get" action="https://blog.mozilla.org/security/"> <fieldset> <p> <label for="s">Search this site</label> <input type="search" value="" name="s" id="s"> <button type="submit" class="button button-minor">Search</button> </p> </fieldset> </form> </li> </ul> </nav> <main id="content"> <div class="content"> <article id="post-2887" class="post post-2887 type-post status-publish format-standard hentry category-firefox category-security category-security-updates"> <header class="entry-header"> <div class="entry-tools"> <div class="categories"> <b>Categories:</b> <a href="https://blog.mozilla.org/security/category/firefox/" rel="category tag">Firefox</a> <a href="https://blog.mozilla.org/security/category/security/" rel="category tag">Security</a> <a href="https://blog.mozilla.org/security/category/security-updates/" rel="category tag">Security Updates</a> </div> </div> <h1 class="entry-title"> Behind the Scenes: Fixing an In-the-Wild Firefox Exploit </h1> <div class="entry-info"> <address class="vcard"> Tom Ritter </address> <time class="date published" datetime="2024-10-11T05:14:24-07:00">October 11, 2024</time> </div> </header> <div class="entry-content"> <p>At Mozilla, browser security is a critical mission, and part of that mission involves responding swiftly to new threats. Tuesday, around 8 AM Eastern time, we received a heads-up from the Anti-Virus company ESET, who alerted us to a Firefox exploit that had been spotted in the wild. We want to give a huge thank you to ESET for sharing their findings with us—it’s collaboration like this that keeps the web a safer place for everyone.</p> <p>We’ve already <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/">released a fix</a> for this particular issue, so when Firefox prompts you to upgrade, click that button. If you don’t know about Session Restore, you can ask Firefox to <a href="https://support.mozilla.org/en-US/kb/restore-previous-session">restore your previous session</a> on restart. </p> <p>The sample ESET sent us contained a full exploit chain that allowed remote code execution on a user’s computer. Within an hour of receiving the sample, we had convened a team of security, browser, compiler, and platform engineers to reverse engineer the exploit, force it to trigger its payload, and understand how it worked. </p> <p>During exploit contests such as pwn2own, we know ahead of time when we will receive an exploit, can convene the team ahead of time, and receive a detailed explanation of the vulnerabilities and exploit. At pwn2own 2024, we shipped a fix in <a href="https://blog.mozilla.org/security/2024/04/04/rapidly-leveling-up-firefox-security/">21 hours</a>, something that helped us earn <a href="https://www.zerodayinitiative.com/blog/2024/8/1/introducing-the-vanguard-awards">an industry award</a> for fastest to patch. This time, with no notice and some heavy reverse engineering required, we were able to ship a fix in <strong>25 hours</strong>. (And we’re continually examining the process to help us drive that down further.)</p> <p>While we take pride in how quickly we respond to these threats, it’s only part of the process. While we have resolved the vulnerability in Firefox, our team will continue to analyze the exploit to find additional hardening measures to make deploying exploits for Firefox harder and rarer. It’s also important to keep in mind that these kinds of exploits aren’t unique to Firefox. Every browser (and operating system) faces security challenges from time to time. That’s why keeping your software up to date is crucial across the board.</p> <p>As always, we’ll keep doing what we do best—strengthening Firefox’s security and improving its defenses.</p> </div> <footer class="fx-footer"> <h4>Browse fast. Browse free.</h4> <p><a href="https://www.mozilla.org/firefox/new/?utm_source=blog.mozilla.org&utm_campaign=firefox_frontier&utm_medium=referral" rel="external" class="button button-product">Download Firefox</a></p> </footer> </article> </div> <nav id="adjacent-posts" class="section nav-paging"> <div class="content"> <p class="nav-paging-prev" role="navigation"> <a href="https://blog.mozilla.org/security/2024/06/05/firefox-will-upgrade-more-mixed-content-in-version-127/"> <span class="label">Previous article</span> <strong class="entry-title">Firefox will upgrade more Mixed Content in Version 127</strong> <time class="date" datetime="2024-06-05T06:05:31-07:00">June 5, 2024</time> <svg class="arrow-left" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 23.62 43"><defs><style>.cls-1{fill:none;stroke:#000;stroke-linecap:round;stroke-miterlimit:10;stroke-width:3px;}</style></defs><polyline class="cls-1" points="22.12 1.5 2.12 21.5 22.12 41.5"/></svg> </a> </p> </div> </nav> <aside id="related-posts" class="section"> <div class="content"> <div class="in-category"> <h4 class="module-title">More articles in “Firefox”</h4> <ul class="cat-posts"> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2024/06/05/firefox-will-upgrade-more-mixed-content-in-version-127/">Firefox will upgrade more Mixed Content in Version 127</a></h5> <time class="date" datetime="2024-06-05T06:05:31-07:00">June 5, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2023/09/13/version-2-9-of-the-mozilla-root-store-policy/">Version 2.9 of the Mozilla Root Store Policy</a></h5> <time class="date" datetime="2023-09-13T10:56:32-07:00">September 13, 2023</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/">Securing the proxy API for Firefox add-ons</a></h5> <time class="date" datetime="2021-10-25T10:04:33-07:00">October 25, 2021</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2021/10/05/firefox-93-features-an-improved-smartblock-and-new-referrer-tracking-protections/">Firefox 93 features an improved SmartBlock and new Referrer Tracking Protections</a></h5> <time class="date" datetime="2021-10-05T03:00:45-07:00">October 5, 2021</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2021/10/05/firefox-93-protects-against-insecure-downloads/">Firefox 93 protects against Insecure Downloads</a></h5> <time class="date" datetime="2021-10-05T01:07:19-07:00">October 5, 2021</time> </li> </ul> </div> <div class="popular"> <h4 class="module-title">Recent articles</h4> <ul class="recent-posts"> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2024/06/05/firefox-will-upgrade-more-mixed-content-in-version-127/">Firefox will upgrade more Mixed Content in Version 127</a></h5> <time class="date" datetime="2024-06-05T06:05:31-07:00">June 5, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2024/04/04/rapidly-leveling-up-firefox-security/">Rapidly Leveling up Firefox Security</a></h5> <time class="date" datetime="2024-04-04T12:27:41-07:00">April 4, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2023/12/06/mozilla-vpn-security-audit-2023/">Mozilla VPN Security Audit 2023</a></h5> <time class="date" datetime="2023-12-06T09:00:37-08:00">December 6, 2023</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2023/09/13/version-2-9-of-the-mozilla-root-store-policy/">Version 2.9 of the Mozilla Root Store Policy</a></h5> <time class="date" datetime="2023-09-13T10:56:32-07:00">September 13, 2023</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/security/2023/05/11/updated-gpg-key-for-signing-firefox-releases/">Updated GPG key for signing Firefox Releases</a></h5> <time class="date" datetime="2023-05-11T09:43:55-07:00">May 11, 2023</time> </li> </ul> </div> </div> </aside> <aside id="newsletter-subscribe" class="section newsletter-firefox"> <form id="newsletter_form" class="content newsletter_form" name="newsletter_form" action="https://www.mozilla.org/en-US/newsletter/" method="post" data-blog="Mozilla Security Blog"> <input type="hidden" id="newsletters" name="newsletters" value="mozilla-and-you"> <input type="hidden" id="source_url" name="source_url" value="https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit"> <div class="form-title"> <h3>Keep up with<br> all things Firefox.</h3> </div> <div id="form-contents" class="form-contents"> <div id="newsletter_errors" class="newsletter_errors"></div> <div class="field field-email"> <label for="email">Your e-mail address</label> <input type="email" id="email" name="email" required placeholder="yourname@example.com" size="30"> </div> <div class="form-details"> <div class="field field-country"> <label for="country">Country</label> <select id="country" name="country" required="required"> <option value="" selected="selected">- select -</option> <option value="af">Afghanistan</option> <option value="qz">Akrotiri</option> <option value="al">Albania</option> <option value="dz">Algeria</option> <option value="as">American Samoa</option> <option value="ad">Andorra</option> <option value="ao">Angola</option> <option value="ai">Anguilla</option> <option value="aq">Antarctica</option> <option value="ag">Antigua and Barbuda</option> <option value="ar">Argentina</option> <option value="am">Armenia</option> <option value="aw">Aruba</option> <option value="xa">Ashmore and Cartier Islands</option> <option value="au">Australia</option> <option value="at">Austria</option> <option value="az">Azerbaijan</option> <option value="bs">Bahamas, The</option> <option value="bh">Bahrain</option> <option value="xb">Baker Island</option> <option value="bd">Bangladesh</option> <option value="bb">Barbados</option> <option value="qs">Bassas da India</option> <option value="by">Belarus</option> <option value="be">Belgium</option> <option value="bz">Belize</option> <option value="bj">Benin</option> <option value="bm">Bermuda</option> <option value="bt">Bhutan</option> <option value="bo">Bolivia</option> <option value="bq">Bonaire, Sint Eustatius, and Saba</option> <option value="ba">Bosnia and Herzegovina</option> <option value="bw">Botswana</option> <option value="bv">Bouvet Island</option> <option value="br">Brazil</option> <option value="io">British Indian Ocean Territory</option> <option value="bn">Brunei</option> <option value="bg">Bulgaria</option> <option value="bf">Burkina Faso</option> <option value="mm">Burma</option> <option value="bi">Burundi</option> <option value="cv">Cabo Verde</option> <option value="kh">Cambodia</option> <option value="cm">Cameroon</option> <option value="ca">Canada</option> <option value="ky">Cayman Islands</option> <option value="cf">Central African Republic</option> <option value="td">Chad</option> <option value="cl">Chile</option> <option value="cn">China</option> <option value="cx">Christmas Island</option> <option value="cp">Clipperton Island</option> <option value="cc">Cocos (Keeling) Islands</option> <option value="co">Colombia</option> <option value="km">Comoros</option> <option value="cg">Congo (Brazzaville)</option> <option value="cd">Congo (Kinshasa)</option> <option value="ck">Cook Islands</option> <option value="xc">Coral Sea Islands</option> <option value="cr">Costa Rica</option> <option value="hr">Croatia</option> <option value="cu">Cuba</option> <option value="cw">Curaçao</option> <option value="cy">Cyprus</option> <option value="cz">Czech Republic</option> <option value="ci">Côte d’Ivoire</option> <option value="dk">Denmark</option> <option value="xd">Dhekelia</option> <option value="dg">Diego Garcia</option> <option value="dj">Djibouti</option> <option value="dm">Dominica</option> <option value="do">Dominican Republic</option> <option value="ec">Ecuador</option> <option value="eg">Egypt</option> <option value="sv">El Salvador</option> <option value="gq">Equatorial Guinea</option> <option value="er">Eritrea</option> <option value="ee">Estonia</option> <option value="et">Ethiopia</option> <option value="xe">Europa Island</option> <option value="fk">Falkland Islands (Islas Malvinas)</option> <option value="fo">Faroe Islands</option> <option value="fj">Fiji</option> <option value="fi">Finland</option> <option value="fr">France</option> <option value="gf">French Guiana</option> <option value="pf">French Polynesia</option> <option value="tf">French Southern and Antarctic Lands</option> <option value="ga">Gabon</option> <option value="gm">Gambia, The</option> <option value="xg">Gaza Strip</option> <option value="ge">Georgia</option> <option value="de">Germany</option> <option value="gh">Ghana</option> <option value="gi">Gibraltar</option> <option value="qx">Glorioso Islands</option> <option value="gr">Greece</option> <option value="gl">Greenland</option> <option value="gd">Grenada</option> <option value="gp">Guadeloupe</option> <option value="gu">Guam</option> <option value="gt">Guatemala</option> <option value="gg">Guernsey</option> <option value="gn">Guinea</option> <option value="gw">Guinea-Bissau</option> <option value="gy">Guyana</option> <option value="ht">Haiti</option> <option value="hm">Heard Island and McDonald Islands</option> <option value="hn">Honduras</option> <option value="hk">Hong Kong</option> <option value="xh">Howland Island</option> <option value="hu">Hungary</option> <option value="is">Iceland</option> <option value="in">India</option> <option value="id">Indonesia</option> <option value="ir">Iran</option> <option value="iq">Iraq</option> <option value="ie">Ireland</option> <option value="im">Isle of Man</option> <option value="il">Israel</option> <option value="it">Italy</option> <option value="jm">Jamaica</option> <option value="xj">Jan Mayen</option> <option value="jp">Japan</option> <option value="xq">Jarvis Island</option> <option value="je">Jersey</option> <option value="xu">Johnston Atoll</option> <option value="jo">Jordan</option> <option value="qu">Juan de Nova Island</option> <option value="kz">Kazakhstan</option> <option value="ke">Kenya</option> <option value="xm">Kingman Reef</option> <option value="ki">Kiribati</option> <option value="kp">Korea, North</option> <option value="kr">Korea, South</option> <option value="xk">Kosovo</option> <option value="kw">Kuwait</option> <option value="kg">Kyrgyzstan</option> <option value="la">Laos</option> <option value="lv">Latvia</option> <option value="lb">Lebanon</option> <option value="ls">Lesotho</option> <option value="lr">Liberia</option> <option value="ly">Libya</option> <option value="li">Liechtenstein</option> <option value="lt">Lithuania</option> <option value="lu">Luxembourg</option> <option value="mo">Macau</option> <option value="mk">Macedonia</option> <option value="mg">Madagascar</option> <option value="mw">Malawi</option> <option value="my">Malaysia</option> <option value="mv">Maldives</option> <option value="ml">Mali</option> <option value="mt">Malta</option> <option value="mh">Marshall Islands</option> <option value="mq">Martinique</option> <option value="mr">Mauritania</option> <option value="mu">Mauritius</option> <option value="yt">Mayotte</option> <option value="mx">Mexico</option> <option value="fm">Micronesia, Federated States of</option> <option value="qm">Midway Islands</option> <option value="md">Moldova</option> <option value="mc">Monaco</option> <option value="mn">Mongolia</option> <option value="me">Montenegro</option> <option value="ms">Montserrat</option> <option value="ma">Morocco</option> <option value="mz">Mozambique</option> <option value="na">Namibia</option> <option value="nr">Nauru</option> <option value="xv">Navassa Island</option> <option value="np">Nepal</option> <option value="nl">Netherlands</option> <option value="nc">New Caledonia</option> <option value="nz">New Zealand</option> <option value="ni">Nicaragua</option> <option value="ne">Niger</option> <option value="ng">Nigeria</option> <option value="nu">Niue</option> <option value="nf">Norfolk Island</option> <option value="mp">Northern Mariana Islands</option> <option value="no">Norway</option> <option value="om">Oman</option> <option value="pk">Pakistan</option> <option value="pw">Palau</option> <option value="xl">Palmyra Atoll</option> <option value="pa">Panama</option> <option value="pg">Papua New Guinea</option> <option value="xp">Paracel Islands</option> <option value="py">Paraguay</option> <option value="pe">Peru</option> <option value="ph">Philippines</option> <option value="pn">Pitcairn Islands</option> <option value="pl">Poland</option> <option value="pt">Portugal</option> <option value="pr">Puerto Rico</option> <option value="qa">Qatar</option> <option value="re">Reunion</option> <option value="ro">Romania</option> <option value="ru">Russia</option> <option value="rw">Rwanda</option> <option value="bl">Saint Barthelemy</option> <option value="sh">Saint Helena, Ascension, and Tristan da Cunha</option> <option value="kn">Saint Kitts and Nevis</option> <option value="lc">Saint Lucia</option> <option value="mf">Saint Martin</option> <option value="pm">Saint Pierre and Miquelon</option> <option value="vc">Saint Vincent and the Grenadines</option> <option value="ws">Samoa</option> <option value="sm">San Marino</option> <option value="st">Sao Tome and Principe</option> <option value="sa">Saudi Arabia</option> <option value="sn">Senegal</option> <option value="rs">Serbia</option> <option value="sc">Seychelles</option> <option value="sl">Sierra Leone</option> <option value="sg">Singapore</option> <option value="sx">Sint Maarten</option> <option value="sk">Slovakia</option> <option value="si">Slovenia</option> <option value="sb">Solomon Islands</option> <option value="so">Somalia</option> <option value="za">South Africa</option> <option value="gs">South Georgia and South Sandwich Islands</option> <option value="ss">South Sudan</option> <option value="es">Spain</option> <option value="xs">Spratly Islands</option> <option value="lk">Sri Lanka</option> <option value="sd">Sudan</option> <option value="sr">Suriname</option> <option value="xr">Svalbard</option> <option value="sz">Swaziland</option> <option value="se">Sweden</option> <option value="ch">Switzerland</option> <option value="sy">Syria</option> <option value="tw">Taiwan</option> <option value="tj">Tajikistan</option> <option value="tz">Tanzania</option> <option value="th">Thailand</option> <option value="tl">Timor-Leste</option> <option value="tg">Togo</option> <option value="tk">Tokelau</option> <option value="to">Tonga</option> <option value="tt">Trinidad and Tobago</option> <option value="xt">Tromelin Island</option> <option value="tn">Tunisia</option> <option value="tr">Turkey</option> <option value="tm">Turkmenistan</option> <option value="tc">Turks and Caicos Islands</option> <option value="tv">Tuvalu</option> <option value="ug">Uganda</option> <option value="ua">Ukraine</option> <option value="ae">United Arab Emirates</option> <option value="gb">United Kingdom</option> <option value="us">United States</option> <option value="uy">Uruguay</option> <option value="uz">Uzbekistan</option> <option value="vu">Vanuatu</option> <option value="va">Vatican City</option> <option value="ve">Venezuela</option> <option value="vn">Vietnam</option> <option value="vg">Virgin Islands, British</option> <option value="vi">Virgin Islands, U.S.</option> <option value="qw">Wake Island</option> <option value="wf">Wallis and Futuna</option> <option value="xw">West Bank</option> <option value="eh">Western Sahara</option> <option value="ye">Yemen</option> <option value="zm">Zambia</option> <option value="zw">Zimbabwe</option> </select> </div> <div class="field field-language"> <label for="lang">Language</label> <select id="lang" name="lang" required="required"> <option value="id">Bahasa Indonesia</option> <option value="de">Deutsch</option> <option value="en" selected="selected">English</option> <option value="es">Español</option> <option value="fr">Français</option> <option value="pl">Polski</option> <option value="pt">Português</option> <option value="ru">Русский</option> <option value="zh-TW">正體中文</option> </select> </div> <div class="field field-format"> <label for="format-h"><input checked="checked" id="format-h" name="fmt" value="H" type="radio"> HTML</label> <label for="format-t"><input id="format-t" name="fmt" value="T" type="radio"> Text</label> </div> <div class="field field-privacy"> <label for="privacy"> <input type="checkbox" id="privacy" name="privacy" required> I’m okay with Mozilla handling my info as explained in this <a href="https://www.mozilla.org/privacy/">Privacy Policy</a>. </label> </div> </div> <div class="form-submit"> <button id="newsletter_submit" type="submit" class="form-button button-light">Sign up now</button> <p class="form-details promise"> <small>We will only send you Mozilla-related information.</small> </p> </div> </div> <div id="newsletter_thanks" class="thanks"> <h2>Thanks!</h2> <p> If you haven’t previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an e-mail from us. </p> </div> </form> </aside> </main> <aside id="sidebar" class="section widgets can-stick"> <div class="content"> </div> </aside> </div> <footer id="site-info" class="section"> <div class="content"> <nav class="primary"> <div class="logo"> <a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Mozilla</a> </div> <section class="mozilla"> <h5><a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Mozilla</a></h5> <ul class="mozilla-links"> <li><a href="https://www.mozilla.org/about/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="About">About</a></li> <li><a href="https://www.mozilla.org/contact/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Contact Us">Contact Us</a></li> <li><a href="https://donate.mozilla.org/?presets=50,30,20,10&amount=30&currency=usd&utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" class="donate" data-link-type="footer" data-link-name="Donate">Donate</a></li> <li> <ul class="social-links"> <li><a class="twitter" href="https://twitter.com/mozilla" data-link-type="footer" data-link-name="Twitter (@mozilla)">Twitter<span> (@mozilla)</span></a></li> <li><a class="instagram" href="https://www.instagram.com/mozillagram/" data-link-type="footer" data-link-name="Instagram (@mozillagram)">Instagram<span> (@mozillagram)</span></a></li> </ul> </li> </ul> </section> <section class="firefox"> <h5><a href="https://www.mozilla.org/firefox/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Firefox</a></h5> <ul class="firefox-links"> <li><a href="https://www.mozilla.org/firefox/new/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Download Firefox">Download Firefox</a></li> <li><a href="https://www.mozilla.org/firefox/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Desktop">Desktop</a></li> <li><a href="https://www.mozilla.org/firefox/mobile/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mobile">Mobile</a></li> <li><a href="https://www.mozilla.org/firefox/features/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Features">Features</a></li> <li><a href="https://www.mozilla.org/firefox/channel/desktop/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Beta, Nightly, Developer Edition">Beta, Nightly, Developer Edition</a></li> <li> <ul class="social-links"> <li><a class="twitter" href="https://twitter.com/firefox" data-link-type="footer" data-link-name="Twitter (@firefox)">Twitter<span> (@firefox)</span></a></li> <li><a class="youtube" href="https://www.youtube.com/firefoxchannel" data-link-type="footer" data-link-name="YouTube (firefoxchannel)">YouTube<span> (firefoxchannel)</span></a></li> </ul> </li> </ul> </section> </nav> <nav class="secondary"> <div class="small-links"> <ul> <li><a rel="nofollow" href="https://www.mozilla.org/privacy/" data-link-type="footer" data-link-name="Privacy">Website Privacy Notice</a></li> <li><a rel="nofollow" href="https://www.mozilla.org/privacy/websites/#cookies" data-link-type="footer" data-link-name="Cookies">Cookies</a></li> <li><a rel="nofollow" href="https://www.mozilla.org/about/legal/" data-link-type="footer" data-link-name="Legal">Legal</a></li> </ul> <p class="license"> Visit Mozilla Corporation’s not-for-profit parent, the <a href="https://foundation.mozilla.org" data-link-type="footer" data-link-name="Mozilla Foundation">Mozilla Foundation</a>. </p> <p class="license"> Portions of this content are ©1998-2025 by individual contributors. Content available under a <a href="https://www.mozilla.org/foundation/licensing/website-content/" rel="external license">Creative Commons license</a>. </p> </div> </nav> </div> </footer>  <script type='text/javascript' src='https://blog.mozilla.org/security/wp-content/themes/frontierline/js/global.js?ver=2.2' id='global-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/security/wp-content/themes/frontierline/js/basket-client.js?ver=1.2' id='basket-client-js'></script> </body> </html>

CINXE.COM

Behind the Scenes: Fixing an In-the-Wild Firefox Exploit - Mozilla Security Blog