The job of cybersecurity teams is to come up with possible security vulnerabilities and stay on top of them whenever they do arise. Preferably, this job is done in order to catch any issues before malicious actors actually manage to find them and exploit them. Not every vulnerability is caught on time, however, which is how you usually end up with zero-day exploits and vulnerabilities. One that affects Firefox and Thunderbird has just been fixed by Mozilla.
Mozilla has issued a series of emergency security updates to address a critical zero-day vulnerability affecting the Firefox browser and the Thunderbird email client. The vulnerability itself, tracked as CVE-2023-4863, is the result of a heap buffer overflow in the WebP code library (libwebp), and this issue can lead to crashes or arbitrary code execution when malicious WebP images are opened — Mozilla acknowledged that this vulnerability has already been exploited in the wild. The security updates to fix this zero-day were released for Firefox versions 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2, and the company strongly advises users to update their Firefox and Thunderbird installations to protect their systems from potential attacks.
Additionally, the same CVE-2023-4863 vulnerability affects other software that uses the vulnerable WebP code library version, including Google Chrome. Google had already patched this flaw in Chrome after discovering that it was actively exploited. The zero-day was initially reported on September 6th by Apple’s Security Engineering and Architecture (SEAR) team and The Citizen Lab at the University of Toronto’s Munk School.
Apple, in response to Citizen Lab’s findings, also patched two zero-days linked to an exploit chain called BLASTPASS, used to deploy the NSO Group’s Pegasus spyware on fully patched iPhones. These patches were rolled out to older iPhone models, such as the iPhone 6s, the iPhone 7, and the first-generation iPhone SE.
For this specific issue affecting Mozilla software, a fix should already be rolling out to everyone, so make sure to update your browser and email client now. If you don’t see an update now, it might take a few days for it to roll out to everyone.
Source: Bleeping Computer
