Mozilla Issues Security Updates for Critical Zero-Day Vulnerability in Firefox and Thunderbird

September 15, 2023

Mozilla has taken swift action to release security updates in response to a critical zero-day vulnerability discovered in both Firefox and Thunderbird. This vulnerability, identified as CVE-2023-4863, pertains to a heap buffer overflow flaw within the WebP image format. When processing a specially crafted image, this flaw has the potential to lead to the execution of arbitrary code, or opening a malicious WebP image could lead to a heap buffer overflow in the content process.

Mozilla’s response came shortly – We are aware of this issue being exploited in other products in the wild after Google released a fix for a similar issue in its Chrome browser.

Vulnerability Timestamp:

Announced – September 12, 2023
Impact – Critical
Products
Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird
Fixed in
Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
#CVE-2023-4863: Heap buffer overflow in libwebp

Understanding about WebP image format and Heap buffer overflow vulnerability?

WebP is a modern image format developed by Google that is designed to provide high-quality compression for images on the web. It’s particularly useful for reducing the size of images without significantly sacrificing image quality. WebP images are commonly used on websites and in web applications to improve loading times and overall web performance.

A heap buffer overflow is a type of software vulnerability where a program writes data beyond the end of an allocated buffer in a region of memory known as the heap. This can occur when a program receives input that exceeds the buffer’s size, and the excess data overflows into adjacent memory areas.

Mozilla Foundation Security Advisory 2023 for the reported vulnerability:

Mozilla’s advisory warned that opening a malicious WebP image could trigger a heap buffer overflow in the content process, and they noted that this vulnerability has already been actively exploited in various products.

According to the National Vulnerability Database (NVD), this security flaw could allow a remote attacker to perform an out-of-bounds memory write via a carefully crafted HTML page. The credit for discovering and reporting this security issue goes to Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School. Mozilla has swiftly addressed this vulnerability in the following versions: Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.

This development occurred just one day after Google issued fixes for the same vulnerability in Chrome, acknowledging that an exploit for CVE-2023-4863 is currently circulating in the wild.
While specific details about how these vulnerabilities are being exploited remain undisclosed, there is suspicion that they are being used to target individuals at higher risk, such as activists, dissidents, and journalists.

To remediate the critical zero-day vulnerability (CVE-2023-4863) in Firefox and Thunderbird, follow these steps:

Update with latest versions released: Immediately update the Mozilla Firefox and Thunderbird applications to the latest versions provided by Mozilla. The vulnerability has been addressed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2. Make sure to download and install these updates from official sources.
Data execution prevention—flags certain areas of memory as non-executable or executable, which stops an attack from running code in a non-executable region.
Ensure websites you visit use HTTPS (secure, encrypted connections). Browsers often display a padlock icon or “https://” in the address bar for secure sites.
Periodically clear your browser’s cookies and cache to remove tracking data and potentially malicious scripts.
Regularly Check for Browser Updates: Manually check for updates if automatic updates are not enabled, especially after major security incidents.
Install security plugins or extensions for your browser that can help detect and block malicious scripts or attempts to exploit vulnerabilities.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Mozilla Issues Security Updates for Critical Zero-Day Vulnerability in Firefox and Thunderbird

Security Team

Related Posts

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure