Mozilla has released crucial security updates to address a critical Firefox zero day vulnerability that also detected the flaw in the Thunderbird application.
The zero-day was dubbed CVE-2023-4863 and has been actively exploited in the wild. Interestingly enough, the CVE system website mentions Chrome as the assigner of CVE-2023-4863. Google too released a patch for the same CVE-2023-4863 issue affecting its Chrome browser.
The zero day vulnerability is a heap buffer overflow flaw within the WebP image format. Threat actors can exploit it to execute arbitrary code when processing a specially crafted image.
Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.
The vulnerability affected Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird. Mozilla released patches for all the impacted products.
According to the National Vulnerability Database, the flaw can enable remote code execution. Thus, an attacker could run an out-of-bounds memory write through a crafted HTML page.
