Mozilla fixed a critical zero-day vulnerability affecting its Firefox web browser and Thunderbird email client via emergency security updates.
The security flaw in question — CVE-2023-4863 — stemmed from a heap buffer overflow in the WebP code library.
“Opening a malicious WebP image could lead to a heap buffer overflow in the content process,” Mozilla said in an advisory published on Tuesday, adding: “We are aware of this issue being exploited in other products in the wild.”
The not-for-profit software developer addressed the zero-day exploit for:
- Firefox 117.0.1
- Firefox ESR 115.2.1
- Firefox ESR 102.15.1
- Thunderbird 102.15.1
- Thunderbird 115.2.2
The details surrounding the WedP flaw being used in attacks have not been shared, but users have been strongly advised to update their versions of Firefox and Thunderbird.
Google already patched Chrome
Mozilla software was not alone in using the vulnerable WebP code library version.
Google patched its Chrome web browser on Monday while warning that “an exploit for CVE-2023-4863 exists in the wild.” Its security updates have been rolling out and are expected to cover its entire user base in the weeks ahead.
Apple and The Citizen Lab identified the flaw
Apple’s Security Engineering and Architecture team first reported the flaw on Sept. 6, alongside The Citizen Lab at the University of Toronto’s Munk School — the latter famous for identifying and disclosing zero-day vulnerabilities.
Citizen Lab recently identified two zero-day vulnerabilities used to deploy NSO Group’s infamous Pegasus mercenary spyware onto up-to-date iPhones. Apple patched the vulnerabilities last week before backporting them to older iPhone models — such as the iPhone 6s, iPhone 7 and iPhone SE.