Mozilla on Tuesday released security updates to address a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, a day after Google released a patch for the problem in its Chrome browser.
The gap, assigned the identifier CVE-2023-4863is a heap buffer overflow vulnerability in the WebP image format that could result in arbitrary code execution when processing a specially crafted image.
“Opening a malicious WebP image could cause a buffer overflow in the content process”, Mozilla said in a review. “We are aware that this issue is being exploited in other products in the wild.”
According to the National Vulnerability Database (NVD) description, the flaw could allow a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.
Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School were credited for reporting the security issue. This issue has been fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
This development comes a day after Google released fixes for the same flaw in Chrome, noting that it is “aware that an exploit for CVE-2023-4863 exists in the wild.”
Last week, Apple also released updates to close two actively exploited security vulnerabilities that Citizen Lab says were exploited as part of a zero-click iMessage exploit chain named BLASTPASS to deploy the spyware Pegasus on fully patched iPhones running iOS 16.6.
Although specific details regarding the exploitation of these vulnerabilities remain unknown, it is suspected that they are all being exploited to target high-risk individuals, such as activists, dissidents and journalists.