Mozilla releases patches for Firefox, Thunderbird to fix actively exploited vulnerabilities
Take action: Just as you needed to update Chrome and Chromium browsers, it's time to click on the update button in Firefox and Thunderbird. It takes less than a minute.
Learn More
Mozilla has released security updates to address a critical zero-day vulnerability, tracked as CVE-2023-4863, which has been actively exploited in the wild, affecting both its Firefox web browser and Thunderbird email client.
This vulnerability, stemming from a heap buffer overflow in the WebP code library (libwebp), has the potential to lead to crashes or arbitrary code execution when a malicious WebP image is opened. Mozilla has acknowledged the exploitation of this issue in other products, emphasizing the severity of the threat.
To mitigate this risk, Mozilla has patched the zero-day vulnerability in various versions, including
- Firefox 117.0.1,
- Firefox ESR 115.2.1,
- Firefox ESR 102.15.1,
- Thunderbird 102.15.1,
- Thunderbird 115.2.2.
Mozilla has also noted that this zero-day vulnerability affects other software using the same vulnerable version of the WebP code library. Notably, Google Chrome has already been patched against this flaw, with Google issuing a warning about its exploitation in the wild.
