Mozilla Patches Critical Firefox and Thunderbird Vulnerability After Apple and Google

By Riley ThompsonTechnology News

Mozilla Releases Emergency Patch for Critical Firefox and Thunderbird Vulnerability

Mozilla has released emergency updates to fix a critical zero-day vulnerability that was already being exploited by hackers and affected both the Firefox browser and Thunderbird email client. The same issue, related to the WebP library (libwebp), was previously patched by Google in its products.

Details of the Vulnerability

The critical bug is identified as CVE-2023-4863 and is associated with a heap buffer overflow in WebP. Exploiting this vulnerability can lead to anything from crashes to remote execution of arbitrary code.

โ€œOpening a malicious WebP image could lead to a heap buffer overflow during content processing. We are aware that this issue is already being exploited in other products,โ€ Mozilla developers stated in their security bulletin.

Patched Versions

Mozilla addressed the vulnerability in the following releases:

  • Firefox 117.0.1
  • Firefox ESR 115.2.1
  • Firefox ESR 102.15.1
  • Thunderbird 102.15.1
  • Thunderbird 115.2.2

About the WebP Library

The open-source libwebp library, developed by Google, is used to process WebP images. Any application that uses this library to handle WebP images (including Chrome, Edge, Firefox, and others) could potentially be attacked via a specially crafted image.

Related Security Updates from Google and Apple

Previously, Google patched this WebP-related vulnerability in Chrome and warned that an exploit for CVE-2023-4863 was already in the wild. Google also thanked colleagues from Apple Security Engineering and Architecture (SEAR) for discovering the issue.

Last week, Apple released unscheduled updates to fix two zero-day vulnerabilities (CVE-2023-41064 and CVE-2023-41061) that were already being used in attacks targeting iPhone and Mac users. CVE-2023-41064 is a buffer overflow vulnerability triggered by processing malicious images and can lead to arbitrary code execution on unpatched devices.

According to Citizen Lab, both CVE-2023-41064 and CVE-2023-41061 were actively exploited as part of a zero-click iMessage exploit chain called BLASTPASS. Experts believe these vulnerabilities were used to spread Pegasus spyware developed by NSO Group.

Possible Connections Between the Vulnerabilities

While there is no direct evidence linking CVE-2023-4863 to the vulnerabilities patched by Apple, the timing of the patches, Googleโ€™s thanks to Apple SEAR, and the similar nature of the vulnerabilities suggest there may be significant overlap between these issues.

Leave a Reply