Mozilla on Tuesday launched security updates to solve a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, a working day following Google released a deal with for the issue in its Chrome browser.
The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw in the WebP impression format that could outcome in arbitrary code execution when processing a specifically crafted impression.
“Opening a malicious WebP graphic could direct to a heap buffer overflow in the information procedure,” Mozilla claimed in an advisory. “We are aware of this issue getting exploited in other solutions in the wild.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
In accordance to the description on the National Vulnerability Databases (NVD), the flaw could let a distant attacker to execute an out-of-bounds memory write via a crafted HTML web page.
Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The College of Toronto’s Munk Faculty have been credited with reporting the security issue. It has been dealt with in Firefox 117..1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
Impending WEBINARWay Far too Susceptible: Uncovering the Point out of the Identity Attack Surface
Accomplished MFA? PAM? Assistance account safety? Come across out how well-outfitted your business really is from identity threats
Supercharge Your Expertise
The growth arrives a day after Google unveiled fixes for the exact same flaw in Chrome, noting it’s “knowledgeable that an exploit for CVE-2023-4863 exists in the wild.”
Previous 7 days, Apple also unveiled patches to plug two actively exploited security holes that the Citizen Lab said have been weaponized as part of a zero-click on iMessage exploit chain named BLASTPASS to deploy the Pegasus adware on totally-patched iPhones running iOS 16.6.
Whilst unique aspects relating to the flaws’ exploitation continue being not known, it’s suspected that they are all being leveraged to focus on people who are at an elevated risk, this sort of as activists, dissidents, and journalists.
Found this short article exciting? Comply with us on Twitter and LinkedIn to browse additional distinctive information we put up.
Some pieces of this report are sourced from:
thehackernews.com