Mozilla has released a security patch to address a zero-day vulnerability. Tracked as CVE-2023-4863, the vulnerability is rated as critical. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code or crash the application on devices running vulnerable versions of Firefox, Firefox ESR, and Thunderbird.
Earlier this week, Google addressed the CVE by releasing a patch for Google Chrome. Mozilla addressed the vulnerability and stated, “We are aware of this issue being exploited in other products in the wild.”
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 4, 2023.
CVE-2023-4863: Heap Buffer Overflow Vulnerability in libwebp
WebP is a modern image format renowned for its exceptional compression capabilities, catering to both lossless and lossy image optimization for web content. WebP allows website administrators and developers to craft more compact yet visually enhanced images, allowing webpages to load comparatively faster.
A heap overflow is a security vulnerability where a program writes more data into a memory area (heap) than allowed, potentially overwriting critical information and allowing attackers to take control of the application or system. The vulnerability allows an attacker to add a malicious WebP image to a webpage which, when opened, can lead to code execution or crashing the application.
Affected Versions
- Firefox versions prior to 117.0.1
- Firefox ESR versions prior to 102.15.1
- Firefox ESR versions prior to 115.2.1
- Thunderbird versions prior to 102.15.1
- Thunderbird versions prior to 115.2.2
Mitigation
Customers are advised to upgrade to the latest version of Firefox mentioned below:
- Firefox 117.0.1
- Firefox ESR 102.15.1
- Firefox ESR 115.2.1
- Thunderbird 102.15.1
- Thunderbird 115.2.2
For more information, please refer to the Mozilla Foundation security advisory (MFSA2023-40).
Qualys Detection
Qualys customers can scan their devices with QID 378858, 378859, and 378861 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/