Mozilla released emergency security updates on September 12th, 2023 [6], to address a critical zero-day vulnerability known as CVE-2023-4863 [1] [2] [4]. This vulnerability [1] [2] [3] [4] [5] [6], reported by Apple’s Security Engineering and Architecture team and The Citizen Lab at the University of Toronto’s Munk School [2] [4] [5], allows for crashes or arbitrary code execution when malicious WebP images are opened [3]. It has been categorized as critical by the National Vulnerability Database [4].

Description

Mozilla has released emergency security updates for various versions of Firefox and Thunderbird to address the CVE-2023-4863 vulnerability. Users are strongly advised to update their installations [3]. This vulnerability also affects other software that uses the vulnerable WebP code library [3], including Google Chrome [2] [3], which has already been patched [1] [2] [3].

In addition to the Mozilla vulnerability, Apple has recently patched two zero-days that were part of an exploit chain called BLASTPASS. This exploit chain was used to deploy the NSO Group’s Pegasus spyware on fully patched iPhones [3]. The Citizen Lab reported this bug, as they are known for identifying and reporting zero-day vulnerabilities used in targeted espionage campaigns [1].

Conclusion

The release of emergency security updates by Mozilla and Apple’s patching of zero-days highlight the importance of promptly addressing vulnerabilities to protect users from potential attacks. Users should update their software to mitigate the risks associated with these vulnerabilities. The identification and reporting of zero-day vulnerabilities by organizations like The Citizen Lab play a crucial role in enhancing cybersecurity and preventing targeted espionage campaigns.

References

[1] https://vulnera.com/newswire/mozilla-fixes-critical-zero-day-vulnerability-in-firefox-and-thunderbird/
[2] https://www.scmagazine.com/news/mozilla-patches-critical-zero-day-that-targeted-its-firefox-browser-and-thunderbird-email-client
[3] https://www.howtogeek.com/mozilla-firefox-thunderbird-security-flaw-2023/
[4] https://www.bitdefender.com/blog/hotforsecurity/mozilla-issues-emergency-patch-for-critical-zero-day-vulnerability-in-firefox-and-thunderbird/
[5] https://thehackernews.com/2023/09/mozilla-rushes-to-patch-webp-critical.html
[6] https://heimdalsecurity.com/blog/mozilla-zero-day-vulnerability/