Mozilla Fixes Critical Zero-Day Vulnerability in Firefox and Thunderbird

September 12, 2023

Mozilla has released urgent security patches to rectify a critical zero-day vulnerability, identified as CVE-2023-4863, that has been exploited in the wild. This vulnerability affects the company's Firefox web browser and Thunderbird email client. The security flaw originates from a heap buffer overflow in the WebP code library (libwebp), and its consequences can range from system crashes to arbitrary code execution.

"Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild," Mozilla stated in a security advisory released on Tuesday. The zero-day vulnerability, which has been exploited, was addressed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.

While specific details about the exploitation of the WebP flaw in attacks are yet to be revealed, it's clear that this critical vulnerability is being misused in real-world situations. Therefore, users are strongly encouraged to download the updated versions of Firefox and Thunderbird to protect their systems from potential attacks.

In the security advisory issued by Mozilla, the company revealed that the CVE-2023-4863 zero-day also affects other software that uses the vulnerable version of the WebP code library. This includes the Google Chrome web browser, which received a patch for this flaw on Monday. Google has also acknowledged that an exploit for CVE-2023-4863 exists in the wild. Updates for Chrome are currently being rolled out to users via the Stable and Extended stable channels and are expected to reach all users in the coming days or weeks.

The bug was reported on September 6th by Apple's Security Engineering and Architecture (SEAR) team and The Citizen Lab at the University of Toronto's Munk School. The Citizen Lab security researchers have a track record of identifying and reporting zero-day vulnerabilities often exploited in targeted espionage campaigns led by government-affiliated actors. These campaigns usually target individuals at high risk of attack, such as journalists, opposition politicians, and dissidents.

On Thursday, Apple also issued patches for two zero-days identified by Citizen Lab as exploited in the wild. These were part of an exploit chain named BLASTPASS used to deploy NSO Group's Pegasus spyware onto fully patched iPhones. The BLASTPASS patches were also backported to older iPhone models, including iPhone 6s models, the iPhone 7, and the first generation of iPhone SE.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.