Mozilla fastened a important zero-day vulnerability affecting its Firefox net browser and Thunderbird e-mail shopper through emergency safety updates.
The safety flaw in query — CVE-2023-4863 — stemmed from a heap buffer overflow within the WebP code library.
“Opening a malicious WebP picture might result in a heap buffer overflow within the content material course of,” Mozilla stated in an advisory printed on Tuesday, including: “We’re conscious of this subject being exploited in different merchandise within the wild.”
The not-for-profit software program developer addressed the zero-day exploit for:
- Firefox 117.0.1
- Firefox ESR 115.2.1
- Firefox ESR 102.15.1
- Thunderbird 102.15.1
- Thunderbird 115.2.2
The small print surrounding the WedP flaw being utilized in assaults haven’t been shared, however customers have been strongly suggested to replace their variations of Firefox and Thunderbird.
Google already patched Chrome
Mozilla software program was not alone in utilizing the weak WebP code library model.
Google patched its Chrome net browser on Monday whereas warning that “an exploit for CVE-2023-4863 exists within the wild.” Its safety updates have been rolling out and are anticipated to cowl its total consumer base within the weeks forward.
Apple and The Citizen Lab recognized the flaw
Apple’s Safety Engineering and Structure group first reported the flaw on Sept. 6, alongside The Citizen Lab on the College of Toronto’s Munk Faculty — the latter well-known for figuring out and disclosing zero-day vulnerabilities.
Citizen Lab just lately recognized two zero-day vulnerabilities used to deploy NSO Group’s notorious Pegasus mercenary spy ware onto up-to-date iPhones. Apple patched the vulnerabilities final week earlier than backporting them to older iPhone fashions — such because the iPhone 6s, iPhone 7 and iPhone SE.