Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks2023-09-13 20:00 by Daniela
Tags: Mozilla, Firefox
Mozilla released emergency security updates today to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client.
Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution. WebP is an image format that is used widely on the Internet.
Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
Even though specific details regarding the WebP flaw's exploitation in attacks remain undisclosed, this critical vulnerability is being abused in real-world scenarios.
"Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild," Mozilla said in an advisory published on Tuesday.
Mozilla thanked Apple Security Engineering and Architecture and The Citizen Lab at The University of Toronto's Munk School for bringing the zero-day to their attention. Firefox users are advised to update the browser immediately to the new version.
Read more -here-