Mozilla released security upgrades on Tuesday to address a significant zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, just one day after Google fixed the bug in its Chrome browser.
The issue, dubbed CVE-2023-4863, is a heap buffer overflow flaw in the WebP picture format that could lead to arbitrary code execution when processing a specially designed image.
In an advisory, Mozilla stated that “opening a malicious WebP image could result in a heap buffer overflow in the content process.” “We are aware of this issue being exploited in other products out in the wild.”
The weakness could allow a remote attacker to perform an out-of-bounds memory write via a forged HTML page, according to the description in the National Vulnerability Database (NVD).
The security flaw was discovered by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto’s Munk School. Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 have all addressed the issue.
The news comes just one day after Google provided remedies for the same flaw in Chrome, stating that it is “aware that an exploit for CVE-2023-4863 exists in the wild.”
Apple also provided fixes last week to close two actively exploited security weaknesses that Citizen Lab claims were leveraged as part of the BLASTPASS zero-click iMessage exploit chain to implant the Pegasus spyware on fully patched iPhones running iOS 16.6.
While specifics about how the holes are being exploited are unknown, it is assumed that they are all being used to target persons who are at high risk, such as activists, dissidents, and journalists.
Keywords: Mozilla zero-day vulnerability, WebP picture format flaw, Security upgrades Firefox Thunderbird
Also Read: Facebook Messenger Phishing Attack Unleashes Python-Based Stealer Malware
Google Privacy Sandbox rollout for Chrome Browser Users: A Game-Changer in Web Privacy