Cyber Security Threat Summary:
Mozilla released emergency security updates today to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client. Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution” (Bleeping Computer, 2023).
If a victim opens a malicious WebP image, a heap buffer overflow issue may occur in the content process. Mozilla says they are aware of this issue being exploited in the wild in various products. Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
To prevent further exploitation, Researchers did not release full details of the the WebP flaw or how it was used in attacks, but this critical vulnerability is known to be used in active attacks. Mozilla is urging users of Firefox and Thunderbird to install the latest versions to protect systems from attacks.
Security Officer Comments:
Mozilla notes that the zero-day likely impacts other software that is using a vulnerable WebP code library. Google Chrome’s web browser was also vulnerable to the flaw and issued a patch on Monday. Google also said they were aware of an exploit for CVE-2023-4863. Chrome security updated have been rolling out to users and should reach the entire user base over the next few days. Users should patch as soon as the update is available.
The vulnerability was discovered by Apple’s Security and Architecture team (SEAR) and The Citizen Lab at the University of Toronto’s Munk School on September 6th. While unclear who was behind these attacks, Citizen Lab has a history of disclosing zero-days used in espionage campaigns led by government affiliated threat groups. These campaigns typically focus on individuals at significant risk of attack, including journalists, opposition politicians, and dissidents.
Users should update to the latest versions of Firefox, Thunderbird and Google Chrome.
- Mozilla: https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
- Chrome: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html