Mozilla Rushes to Patch WebP Critical Zero-Day Exploit in Firefox and Thunderbird


Mozilla on Tuesday released security updates to resolve a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, a day after Google released a fix for the issue in its Chrome browser.

The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution when processing a specially crafted image.

“Opening a malicious WebP image could lead to a heap buffer overflow in the content process,” Mozilla said in an advisory. “We are aware of this issue being exploited in other products in the wild.”

According to the description on the National Vulnerability Database (NVD), the flaw could allow a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.

Read more…