Mozilla fixed a critical zero-day in Firefox and Thunderbird

Mozilla addressed a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in attacks in the wild.

Mozilla rolled out security updates to address a critical zero-day vulnerability, tracked as CVE-2023-4863, in Firefox and Thunderbird that has been actively exploited in the wild.

The vulnerability is a heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187, The vulnerability allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page leading to arbitrary code execution.

“Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.” reads the advisory.

The vulnerability was reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto’s Munk School.

Mozilla did not disclose details about attacks exploiting this issue, however, the fact that it was discovered by Citizen Lab researchers suggests it has been exploited in targeted attacks against high-profile individuals such as journalists, politicians, or dissidents.

The flaw impacts Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird. The vulnerability CVE-2023-4863 was addressed with the release of Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.

Google recently rolled out emergency security updates to address the same flaw (CVE-2023-4863) in Chrome. The vulnerability is the fourth actively exploited zero-day fixed by Google in 2023.

Last week, Apple addressed two flaws, tracked as CVE-2023-41064 and CVE-2023-41061, which were used to install NSO Group’s Pegasus spyware on iPhones.

This week, US Cybersecurity and Infrastructure Security Agency (CISA) added the security vulnerabilities chained in the zero-click iMessage exploit BLASTPASS to its Known Exploited Vulnerabilities Catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mozilla Firefox)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.