Mozilla has addressed a critical zero-day vulnerability in its Firefox web browser and Thunderbird email client with urgent security updates.
The security issue, identified as CVE-2024-4863, was caused by a heap buffer overflow in the WebP code library.
In a published advisory on Tuesday, Mozilla stated, “Opening a malicious WebP image could lead to a heap buffer overflow in the content process,” adding, “We are aware of this issue being exploited in other products in the wild.”
The not-for-profit software developer has fixed the zero-day exploit for:
- Firefox 117.0.1
- Firefox ESR 115.2.1
- Firefox ESR 102.15.1
- Thunderbird 102.15.1
- Thunderbird 115.2.2
While the specific details of the WebP flaw being exploited have not been disclosed, users are strongly encouraged to update their Firefox and Thunderbird versions.
Google has already addressed the issue in Chrome
Mozilla’s software was not the only one utilizing the vulnerable WebP code library version.
Google released a patch for its Chrome web browser on Monday, cautioning that “an exploit for CVE-2024-4863 exists in the wild.” The security updates are currently being distributed and are expected to cover all Chrome users in the coming weeks.
Apple and The Citizen Lab identified the flaw
Apple’s Security Engineering and Architecture team initially reported the flaw on Sept. 6, along with The Citizen Lab at the University of Toronto’s Munk School — the latter well-known for identifying and disclosing zero-day vulnerabilities.
Citizen Lab recently discovered two zero-day vulnerabilities used to deploy NSO Group’s infamous Pegasus mercenary spyware on up-to-date iPhones. Apple patched the vulnerabilities last week before backporting them to older iPhone models, such as the iPhone 6s, iPhone 7, and iPhone SE.
