Mozilla has issued crucial security updates to address a critical zero-day vulnerability (CVE-2023-4863) discovered in its Firefox web browser and Thunderbird email client. This vulnerability, characterized as a heap buffer overflow flaw in the WebP image format, has already been actively exploited in real-world attacks.
Furthermore, the flaw, if successfully exploited, could enable remote attackers to execute arbitrary code by manipulating specially crafted images. Mozilla responded swiftly to this threat, releasing updates to safeguard its users.
At the same time, the vulnerability’s severity prompted Mozilla to take immediate action, given the potential consequences of arbitrary code execution on users’ systems. This development closely follows Google’s release of a fix for the same vulnerability in its Chrome browser, indicating that threat actors had been actively exploiting it across different platforms.
Mozilla’s security advisory confirmed that the flaw’s exploitation extended beyond their products to affect other software. The company urged users to update their Firefox and Thunderbird installations to the latest versions to mitigate the risk.
Mozilla credited Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School for reporting the security issue.
While specific details regarding the nature of the attacks and their targets remain undisclosed, it is suspected that these zero-day vulnerabilities are being weaponized to target high-risk individuals, including activists, dissidents, and journalists.