Critical Zero-day Vulnerability in Mozilla Firefox & Thunderbird

Published on 13 Sep 2023 | Updated on 13 Sep 2023

Mozilla Foundation has released security updates addressing a critical zero-day vulnerability (CVE-2023-4863) in the WebP code library (libwebp). The vulnerability is reportedly being actively exploited.

Successful exploitation of the heap buffer overflow vulnerability could allow a remote attacker to perform denial-of-service (DoS) or arbitrary code execution via a crafted HTML page.

The vulnerability affects the following products:

Firefox 117.0.1
Firefox Extended Support Release (ESR) 115.2.1 and 102.15.1
Thunderbird 102.15.1 and 115.2.2

Users of Mozilla Firefox and Thunderbird are advised to update to the latest versions immediately.

More information is available here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863

https://www.bleepingcomputer.com/news/security/mozilla-patches-firefox-thunderbird-against-zero-day-exploited-in-attacks/