Mozilla fixes Firefox critical flaw in video codec
Take action: Another patch action for all browsers. The previous vulnerablity meant you will be hacked by being presented a malicious image in the browser, now it's a malicious video. Luckily, patching is very easy - update your browsers.
Learn More
Mozilla has issued a critical security update for its Firefox web browser, addressing a significant security vulnerability present in all supported versions of the browser. This update is applicable to Firefox and Firefox ESR across various platforms, including desktop operating systems, Firefox Focus, and Firefox for Android.
The identified critical security issue, CVE-2023-5217, involves a heap buffer overflow within libvpx, a software video codec library developed by Google and the Alliance for Open Media. Libvpx, being open source, is widely utilized in web browsers.
The desktop version of Firefox has been upgraded to version 118.0.1 to effectively tackle this security issue. Additionally, Firefox ESR has been updated to version 115.3.1, and the Android-based browsers have been enhanced to version 118.1.0.
Mozilla highlighted in its security advisory that the specific handling of a maliciously controlled VP8 media stream could lead to a heap buffer overflow within the content process. They acknowledge that this issue has been actively exploited in various products.
Although the extent of these attacks remains unclear, Mozilla emphasizes that this exploit necessitates access to a VP8 media stream to be executed.
