186
Mozilla Patched WebP Critical Zero-Day Exploit in Firefox and Thunderbird: CVE-2023-4863 (heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution) (thehackernews.com)
submitted 2 years ago by Raisin8659 to c/firefox@lemmy.ml
7 comments fedilink hide all child comments

Summary

  • Mozilla has released security updates for Firefox and Thunderbird to fix a critical zero-day vulnerability that has been actively exploited in the wild.

  • The vulnerability, tracked as CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could allow an attacker to execute arbitrary code on the victim's computer.

  • The vulnerability is suspected to target individuals who are at an elevated risk, such as activists, dissidents, and journalists.

  • Mozilla has released Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 to fix the vulnerability.

  • Google has also released a fix for the vulnerability in Chrome.

Additional Details

  • The WebP image format is a modern image format that is designed to be more efficient than other image formats, such as JPEG and PNG.

  • The heap buffer overflow vulnerability occurs when Firefox or Thunderbird attempts to decode a specially crafted WebP image.

  • The vulnerability could allow an attacker to execute arbitrary code on the victim's computer by tricking them into opening a malicious WebP image.

  • Mozilla and Google have been working to fix the vulnerability since it was reported to them.

  • The security updates have been released for all supported versions of Firefox and Thunderbird.

  • Users are advised to update their browsers as soon as possible to protect themselves from this vulnerability.

all 8 comments
sorted by: hot top controversial new old
[-] Darth_Vader__@lemmy.world 20 points 2 years ago

Oh great doesn't it mean Tor (the browser) was vulnerable too?

[-] Raisin8659 15 points 2 years ago

Yes, there's already an update.

[-] sun_is_ra@sh.itjust.works 13 points 2 years ago

Just wondering whether its a coincidence that chrome and Firefox are both vulnerable.

[-] Raisin8659 39 points 2 years ago

Since webp is Google's, I wouldn't be surprised that everybody is using Google libwebp's derived code to display webp images. There was an advisory to check updates for ALL your browsers on ALL platforms. Edge also had a recent update.

[-] AProfessional@lemmy.world 16 points 2 years ago

There is a single implementation of webp that they both use.

[-] Treczoks@kbin.social 10 points 2 years ago* (last edited 2 years ago)

Are there ways to test if a webp is malicious? Besides "Open it and see if you got infected"?

Clarification: I consider any file that causes this overflow as malicious, regardless if it carries code or not.

[-] AProfessional@lemmy.world 2 points 2 years ago

It could theoretically be detected by a script, but that’s more work than just updating.

this post was submitted on 13 Sep 2023
186 points (98.9% liked)

Firefox

20523 readers
11 users here now

/c/firefox

A place to discuss the news and latest developments on the open-source browser Firefox.

Rules

1. Adhere to the instance rules

2. Be kind to one another

3. Communicate in a civil manner

Reporting

If you would like to bring an issue to the moderators attention, please use the "Create Report" feature on the offending comment or post and it will be reviewed as time allows.

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
golden_zealot@lemmy.ml