Mozilla on Tuesday launched security updates to resolve a vital zero-day vulnerability in Firefox and Thunderbird that has been actively exploited within the wild, a day after Google launched a repair for the difficulty in its Chrome browser.
The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw within the WebP picture format that might end in arbitrary code execution when processing a specifically crafted picture.
“Opening a malicious WebP picture might result in a heap buffer overflow within the content material course of,” Mozilla mentioned in an advisory. “We’re conscious of this concern being exploited in different merchandise within the wild.”
In response to the outline on the Nationwide Vulnerability Database (NVD), the flaw might enable a distant attacker to carry out an out-of-bounds reminiscence write by way of a crafted HTML web page.
Apple Safety Engineering and Structure (SEAR) and the Citizen Lab on the College of Toronto’s Munk College have been credited with reporting the security concern. It has been addressed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
The event comes a day after Google launched fixes for a similar flaw in Chrome, noting it is “conscious that an exploit for CVE-2023-4863 exists within the wild.”
Final week, Apple additionally revealed updates to plug two actively exploited security holes that the Citizen Lab mentioned have been weaponized as a part of a zero-click iMessage exploit chain named BLASTPASS to deploy the Pegasus adware on fully-patched iPhones working iOS 16.6.
Whereas particular particulars relating to the failings’ exploitation stay unknown, it is suspected that they’re all being leveraged to focus on people who’re at an elevated danger, similar to activists, dissidents, and journalists.
