Mozilla Rushes to Patch WebP Critical Zero-Day Exploit in Firefox and Thunderbird

Cyber Security

Sep 13, 2023THNVulnerability / Browser Security

Mozilla on Tuesday released security updates to resolve a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, a day after Google released a fix for the issue in its Chrome browser.

The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution when processing a specially crafted image.

“Opening a malicious WebP image could lead to a heap buffer overflow in the content process,” Mozilla said in an advisory. “We are aware of this issue being exploited in other products in the wild.”

According to the description on the National Vulnerability Database (NVD), the flaw could allow a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.

Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School have been credited with reporting the security issue. It has been addressed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.

UPCOMING WEBINAR

Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

The development comes a day after Google released fixes for the same flaw in Chrome, noting it’s “aware that an exploit for CVE-2023-4863 exists in the wild.”

Last week, Apple also published updates to plug two actively exploited security holes that the Citizen Lab said have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy the Pegasus spyware on fully-patched iPhones running iOS 16.6.

While specific details regarding the flaws’ exploitation remain unknown, it’s suspected that they are all being leveraged to target individuals who are at an elevated risk, such as activists, dissidents, and journalists.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

Google AI-Powered Air View+ Announced With Real-Time Hyperlocal Air Quality Information Across India
Google Pixel 9 Pro Review: A Pocketable Champion
Google’s AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects
Samsung’s Black Friday Sale Brings Big Discounts on Galaxy Z Fold 6, Galaxy S24 Series, More
Samsung’s One UI 7 Update Release Timeline for Galaxy S24 Series and Older Models Leaked