Summary
-
Mozilla has released security updates for Firefox and Thunderbird to fix a critical zero-day vulnerability that has been actively exploited in the wild.
-
The vulnerability, tracked as CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could allow an attacker to execute arbitrary code on the victim’s computer.
-
The vulnerability is suspected to target individuals who are at an elevated risk, such as activists, dissidents, and journalists.
-
Mozilla has released Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 to fix the vulnerability.
-
Google has also released a fix for the vulnerability in Chrome.
Additional Details
-
The WebP image format is a modern image format that is designed to be more efficient than other image formats, such as JPEG and PNG.
-
The heap buffer overflow vulnerability occurs when Firefox or Thunderbird attempts to decode a specially crafted WebP image.
-
The vulnerability could allow an attacker to execute arbitrary code on the victim’s computer by tricking them into opening a malicious WebP image.
-
Mozilla and Google have been working to fix the vulnerability since it was reported to them.
-
The security updates have been released for all supported versions of Firefox and Thunderbird.
-
Users are advised to update their browsers as soon as possible to protect themselves from this vulnerability.
Oh great doesn’t it mean Tor (the browser) was vulnerable too?
Yes, there’s already an update.