CVE-2024-10466
📋 TL;DR
A remote server can send a specially crafted push message that causes the browser's parent process to hang, making Firefox or Thunderbird unresponsive. This affects Firefox versions before 132, Firefox ESR before 128.4, Thunderbird before 128.4, and Thunderbird before 132.
💻 Affected Systems
- Firefox
- Firefox ESR
- Thunderbird
📦 What is this software?
Firefox by Mozilla
Firefox by Mozilla
Thunderbird by Mozilla
Thunderbird by Mozilla
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for affected browsers, requiring process termination and potential data loss in unsaved sessions.
Likely Case
Browser becomes unresponsive and must be force-closed, disrupting user workflow.
If Mitigated
Browser hangs temporarily but recovers if push message stops, or user force-closes and restarts.
🎯 Exploit Status
Exploitation requires sending a specially crafted push message, which any server with push notification capability could do.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firefox 132+, Firefox ESR 128.4+, Thunderbird 128.4+, Thunderbird 132+
Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-55/
Restart Required: Yes
Instructions:
1. Open browser. 2. Go to Settings > General > Firefox Updates. 3. Click 'Check for updates'. 4. Install available update. 5. Restart browser.
🔧 Temporary Workarounds
Disable push notifications
allPrevent browsers from receiving push messages that could trigger the vulnerability.
In Firefox: about:preferences#privacy > Notifications > Settings > Block new requests
🧯 If You Can't Patch
- Disable push notifications in browser settings.
- Use network filtering to block push notification traffic.
🔍 How to Verify
Check if Vulnerable:
Check browser version against affected ranges: Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, Thunderbird < 132.Check Version:
Firefox: about:support; Thunderbird: Help > About ThunderbirdVerify Fix Applied:
Confirm browser version is at or above patched versions: Firefox ≥ 132, Firefox ESR ≥ 128.4, Thunderbird ≥ 128.4, Thunderbird ≥ 132.📡 Detection & Monitoring
Log Indicators:
- Browser crash logs with parent process hangs
- High CPU usage by browser processes before hang
Network Indicators:
- Unusual push notification traffic patterns
- Multiple push messages from single source
SIEM Query:
source="browser_logs" AND (event="process_hang" OR event="unresponsive")🔗 References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1924154
- https://www.mozilla.org/security/advisories/mfsa2024-55/
- https://www.mozilla.org/security/advisories/mfsa2024-56/
- https://www.mozilla.org/security/advisories/mfsa2024-58/
- https://www.mozilla.org/security/advisories/mfsa2024-59/
- https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html
- https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html
