this post was submitted on 13 Sep 2023
172 points (98.9% liked)

Firefox

17302 readers
476 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
[email protected]
172
Mozilla Patched WebP Critical Zero-Day Exploit in Firefox and Thunderbird: CVE-2023-4863 (heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution) (thehackernews.com)
submitted 11 months ago by [email protected] to c/[email protected]
7 comments fedilink hide all child comments
 

Summary

  • Mozilla has released security updates for Firefox and Thunderbird to fix a critical zero-day vulnerability that has been actively exploited in the wild.

  • The vulnerability, tracked as CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could allow an attacker to execute arbitrary code on the victim's computer.

  • The vulnerability is suspected to target individuals who are at an elevated risk, such as activists, dissidents, and journalists.

  • Mozilla has released Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 to fix the vulnerability.

  • Google has also released a fix for the vulnerability in Chrome.

Additional Details

  • The WebP image format is a modern image format that is designed to be more efficient than other image formats, such as JPEG and PNG.

  • The heap buffer overflow vulnerability occurs when Firefox or Thunderbird attempts to decode a specially crafted WebP image.

  • The vulnerability could allow an attacker to execute arbitrary code on the victim's computer by tricking them into opening a malicious WebP image.

  • Mozilla and Google have been working to fix the vulnerability since it was reported to them.

  • The security updates have been released for all supported versions of Firefox and Thunderbird.

  • Users are advised to update their browsers as soon as possible to protect themselves from this vulnerability.

all 8 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 11 months ago (1 children)

Oh great doesn't it mean Tor (the browser) was vulnerable too?

[–] [email protected] 14 points 11 months ago

Yes, there's already an update.

[–] sun_is_ra 13 points 11 months ago (3 children)

Just wondering whether its a coincidence that chrome and Firefox are both vulnerable.

[–] [email protected] 38 points 11 months ago

Since webp is Google's, I wouldn't be surprised that everybody is using Google libwebp's derived code to display webp images. There was an advisory to check updates for ALL your browsers on ALL platforms. Edge also had a recent update.

[–] [email protected] 16 points 11 months ago

There is a single implementation of webp that they both use.

[–] [email protected] 10 points 11 months ago* (last edited 11 months ago) (1 children)

Are there ways to test if a webp is malicious? Besides "Open it and see if you got infected"?

Clarification: I consider any file that causes this overflow as malicious, regardless if it carries code or not.

[–] [email protected] 2 points 11 months ago

It could theoretically be detected by a script, but that’s more work than just updating.