Mozilla on Tuesday launched safety updates to resolve a important zero-day vulnerability in Firefox and Thunderbird that has been actively exploited within the wild, a day after Google launched a repair for the problem in its Chrome browser.
The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw within the WebP picture format that might lead to arbitrary code execution when processing a specifically crafted picture.
“Opening a malicious WebP picture might result in a heap buffer overflow within the content material course of,” Mozilla stated in an advisory. “We’re conscious of this subject being exploited in different merchandise within the wild.”
In response to the outline on the Nationwide Vulnerability Database (NVD), the flaw might permit a distant attacker to carry out an out-of-bounds reminiscence write by way of a crafted HTML web page.
Apple Safety Engineering and Structure (SEAR) and the Citizen Lab at The College of Toronto’s Munk Faculty have been credited with reporting the safety subject. It has been addressed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
Means Too Weak: Uncovering the State of the Id Assault Floor
Achieved MFA? PAM? Service account safety? Learn how well-equipped your group actually is in opposition to id threats
The event comes a day after Google launched fixes for a similar flaw in Chrome, noting it is “conscious that an exploit for CVE-2023-4863 exists within the wild.”
Final week, Apple additionally launched patches to plug two actively exploited safety holes that the Citizen Lab stated have been weaponized as a part of a zero-click iMessage exploit chain named BLASTPASS to deploy the Pegasus spyware and adware on fully-patched iPhones working iOS 16.6.
Whereas particular particulars relating to the issues’ exploitation stay unknown, it is suspected that they’re all being leveraged to focus on people who’re at an elevated danger, equivalent to activists, dissidents, and journalists.
