Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks

Mozilla released emergency security updates today to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client.

Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution.

"Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild," Mozilla said in an advisory published on Tuesday.

Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.

Even though specific details regarding the WebP flaw's exploitation in attacks remain undisclosed, this critical vulnerability is being abused in real-world scenarios.

Hence, users are strongly advised to install updated versions of Firefox and Thunderbird to safeguard their systems against potential attacks.

​As Mozilla revealed in today's security advisory, the CVE-2023-4863 zero-day also impacts other software using the vulnerable WebP code library version.

One of them is the Google Chrome web browser, which was patched against this flaw on Monday when Google warned that it's "aware that an exploit for CVE-2023-4863 exists in the wild."

The Chrome security updates are rolling out to users in the Stable and Extended stable channels and are expected to reach the entire user base over the coming days or weeks.

Apple's Security Engineering and Architecture (SEAR) team and The Citizen Lab at the University of Toronto's Munk School were the ones who reported the bug on September 6th.

The security researchers at Citizen Lab also have a history of identifying and disclosing zero-day vulnerabilities frequently exploited in targeted espionage campaigns led by government-affiliated threat actors.

These campaigns typically focus on individuals at significant risk of attack, including journalists, opposition politicians, and dissidents.

On Thursday, Apple also patched two zero-days tagged by Citizen Lab as exploited in the wild as part of an exploit chain dubbed BLASTPASS to deploy NSO Group's Pegasus mercenary spyware onto fully patched iPhones.

Today, the BLASTPASS patches were also backported to older iPhone models, including iPhone 6s models, the iPhone 7, and the first generation of iPhone SE.