Security News > 2023 > September > Mozilla Rushes to Patch WebP Critical Zero-Day Exploit in Firefox and Thunderbird
Mozilla on Tuesday released security updates to resolve a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, a day after Google released a fix for the issue in its Chrome browser.
The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution when processing a specially crafted image.
"We are aware of this issue being exploited in other products in the wild."
Apple Security Engineering and Architecture and the Citizen Lab at The University of Toronto's Munk School have been credited with reporting the security issue.
The development comes a day after Google released fixes for the same flaw in Chrome, noting it's "Aware that an exploit for CVE-2023-4863 exists in the wild."
Last week, Apple also released patches to plug two actively exploited security holes that the Citizen Lab said have been weaponized as part of a zero-click iMessage exploit chain named BLASTPASS to deploy the Pegasus spyware on fully-patched iPhones running iOS 16.6.
News URL
https://thehackernews.com/2023/09/mozilla-rushes-to-patch-webp-critical.html
Related news
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Zero-day exploits plague Ivanti Connect Secure appliances for second year running (source)
- Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast (source)
- Nominet probes network intrusion linked to Ivanti zero-day exploit (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day (source)
- Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (source)
- Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025 (source)
- Critical zero-days impact premium WordPress real estate plugins (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-12 | CVE-2023-4863 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. network low complexity google fedoraproject debian mozilla microsoft webmproject netapp bentley bandisoft CWE-787 | 8.8 |