Mozilla Rushes to Patch WebP Critical Zero-Day Exploit in Firefox and Thunderbird

1 week ago 25

Sep 13, 2023THNVulnerability / Browser Security

Zero-Day Exploit successful  Firefox

Mozilla connected Tuesday released information updates to resoluteness a captious zero-day vulnerability successful Firefox and Thunderbird that has been actively exploited successful the wild, a time aft Google released a hole for the contented successful its Chrome browser.

The shortcoming, assigned the identifier CVE-2023-4863, is simply a heap buffer overflow flaw successful the WebP representation format that could effect successful arbitrary codification execution erstwhile processing a specially crafted image.

"Opening a malicious WebP representation could pb to a heap buffer overflow successful the contented process," Mozilla said successful an advisory. "We are alert of this contented being exploited successful different products successful the wild."

According to the statement connected the National Vulnerability Database (NVD), the flaw could let a distant attacker to execute an out-of-bounds representation constitute via a crafted HTML page.

Apple Security Engineering and Architecture (SEAR) and the Citizen Lab astatine The University of Toronto's Munk School person been credited with reporting the information issue. It has been addressed successful Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.


Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service relationship protection? Find retired however well-equipped your enactment genuinely is against individuality threats

Supercharge Your Skills

The improvement comes a time aft Google released fixes for the aforesaid flaw successful Chrome, noting it's "aware that an exploit for CVE-2023-4863 exists successful the wild."

Last week, Apple besides released patches to plug 2 actively exploited information holes that the Citizen Lab said person been weaponized arsenic portion of a zero-click iMessage exploit concatenation named BLASTPASS to deploy the Pegasus spyware connected fully-patched iPhones moving iOS 16.6.

While circumstantial details regarding the flaws' exploitation stay unknown, it's suspected that they are each being leveraged to people individuals who are astatine an elevated risk, specified arsenic activists, dissidents, and journalists.

Found this nonfiction interesting? Follow america connected Twitter and LinkedIn to work much exclusive contented we post.

Read Entire Article