Zero-day affecting Chrome, Firefox and Thunderbird patched

Flaw, under active attack, is a weakness in WebP

Mozilla on Tuesday patched an actively exploited zero-day bug affecting the Firefox browser and Thunderbird email client.

The bug is tracked as CVE-2023-4863. It is a heap buffer overflow flaw in the WebP image format that could be used by a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. Opening a malicious WebP image could trigger the attack.

WebP is a raster graphics file format developed by Google.

In a minimalistic advisory Mozilla says it is aware of the vulnerability being actively exploited. It has released patched versions of Firefox and Thunderbird.

Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 all contain fixes for the vulnerability.

Users are advised to updater Firefox and Thunderbird to the latest.

Google released patches for the same vulnerability in Chrome on Monday. As with Mozilla, little information is provided about the vulnerability or the observed attacks. This is standard practice where divulging information could present an advantage to attackers

The zero-day vulnerability affects Stable and Extended stable channels for Chrome. The latest patched version of Google Chrome are 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows.

Users are advised to update their browser.

Discovery of the zero-day is credited to Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto's Munk School.