Mozilla has released critical security updates for its web browser, Firefox, as well as its email client, Thunderbird, in response to a significant security vulnerability.
This vulnerability tracked as CVE-2023-5217 could allow attackers to execute malicious code on the affected system.
This is the same critical vulnerability for which Google released urgent security patches for the Chrome browser on September 28th, 2023.
The security flaw, around a heap buffer overflow in libvpx, is a critical component of the Firefox web browser. This vulnerability involves the handling of an attacker controlled VP8 media stream. If exploited, it could lead to a heap buffer overflow within the content process, which could, in turn, enable attackers to execute arbitrary code.
Mozilla has classified this vulnerability as critical, indicating the seriousness of the threat it poses. Moreover, the foundation has acknowledged that this issue has been actively exploited in other products in the wild, underlining the urgency of addressing it.
The security update is applicable to several Mozilla products, including:
- Firefox: The vulnerability has been addressed in Firefox version 118.0.1.
- Firefox ESR: The fix is available in Firefox ESR version 115.3.1.
- Firefox Focus for Android: Users can secure their browsing experience by updating to version 118.1.0.
- Firefox for Android: The vulnerability has been patched in Firefox for Android version 118.1.0.
- Thunderbird: Users of the Thunderbird email client can protect their communications by updating to version 115.3.1.
Mozilla Foundation strongly advises all users of these products to update to the latest versions to ensure their systems are protected against this critical security vulnerability.