Mozilla mounted a crucial zero-day vulnerability affecting its Firefox internet browser and Thunderbird e mail shopper by way of emergency safety updates.
The safety flaw in query — CVE-2023-4863 — stemmed from a heap buffer overflow within the WebP code library.
“Opening a malicious WebP picture may result in a heap buffer overflow within the content material course of,” Mozilla mentioned in an advisory revealed on Tuesday, including: “We’re conscious of this concern being exploited in different merchandise within the wild.”
The not-for-profit software program developer addressed the zero-day exploit for:
- Firefox 117.0.1
- Firefox ESR 115.2.1
- Firefox ESR 102.15.1
- Thunderbird 102.15.1
- Thunderbird 115.2.2
The main points surrounding the WedP flaw being utilized in assaults haven’t been shared, however customers have been strongly suggested to replace their variations of Firefox and Thunderbird.
Google already patched Chrome
Mozilla software program was not alone in utilizing the susceptible WebP code library model.
Google patched its Chrome internet browser on Monday whereas warning that “an exploit for CVE-2023-4863 exists within the wild.” Its safety updates have been rolling out and are anticipated to cowl its whole person base within the weeks forward.
Apple and The Citizen Lab recognized the flaw
Apple’s Safety Engineering and Structure workforce first reported the flaw on Sept. 6, alongside The Citizen Lab on the College of Toronto’s Munk Faculty — the latter well-known for figuring out and disclosing zero-day vulnerabilities.
Citizen Lab lately recognized two zero-day vulnerabilities used to deploy NSO Group’s notorious Pegasus mercenary spyware and adware onto up-to-date iPhones. Apple patched the vulnerabilities final week earlier than backporting them to older iPhone fashions — such because the iPhone 6s, iPhone 7 and iPhone SE.