Mozilla has released an emergency security update to address an actively exploited critical zero-day vulnerability affecting its Firefox web browser and Thunderbird email client.
Mozilla has just rolled out a security update for all supported versions of its Firefox web browser as well as the Thunderbird email client. These updates come fix a critical security issue in WebP that is actively exploited by cybercriminals.
The flaw affects Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird. The vulnerability, named CVE-2023-4863, has since been fixed with the release of Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2. Updates are now available, and As always, we advise you to install them as quickly as possible.
Also read – Mozilla finally reveals the end of support date for Firefox on Windows 7, 8 and 8.1
Mozilla fixes dangerous vulnerability in Firefox
The vulnerability notably allows an attacker to remotely perform an out-of-bounds memory write via a crafted HTML page, leading to arbitrary code execution. Mozilla has not disclosed details of the attacks exploiting this flaw, but the fact that it was discovered by Citizen Lab researchers suggests that it was exploited in targeted attacks against high-profile individuals. , such as journalists, politicians or dissidents.
Note that Firefox 117.0.1 is not just a security update, since it also fixes a number of issues in the open source web browser. Two bugs affecting the opening of links are fixed in the release. The first causes the “reopen all tabs” option in the recently closed tabs menu to sometimes not open all tabs. In the second case, links activated outside of Firefox on macOS were sometimes not opened in Firefox.
Another fix also addresses an issue that affected extensions. Sometimes extensions were interrupted while they were still running. This could happen when extensions used “an events page for long-running tasks”. Finally, other fixes concern a bookmarks menu visibility issue, a time zone detection issue on some sites, and an audio worklets issue on sites that use WebAssembly exception handling.