Mozilla rolled out security updates to address a critical zero-day vulnerability, tracked as CVE-2023-4863, in Firefox and Thunderbird that has been actively exploited in the wild.
The vulnerability is a heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187, The vulnerability allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page leading to arbitrary code execution.
“Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.” reads the advisory.
The vulnerability was reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto’s Munk School.
Mozilla did not disclose details about attacks exploiting this issue, however, the fact that it was discovered by Citizen Lab researchers suggests it has been exploited in targeted attacks against high-profile individuals such as journalists, politicians, or dissidents.
The flaw impacts Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird. The vulnerability CVE-2023-4863 was addressed with the release of Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
Google recently rolled out emergency security updates to address the same flaw (CVE-2023-4863) in Chrome. The vulnerability is the fourth actively exploited zero-day fixed by Google in 2023.
Last week, Apple addressed two flaws, tracked as CVE-2023-41064 and CVE-2023-41061, which were used to install NSO Group’s Pegasus spyware on iPhones.
This week, US Cybersecurity and Infrastructure Security Agency (CISA) added the security vulnerabilities chained in the zero-click iMessage exploit BLASTPASS to its Known Exploited Vulnerabilities Catalog.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mozilla Firefox)