Mozilla on Tuesday urged security pros to use the security updates it issued to fix a critical zero-day vulnerability exploited in the wild on its Firefox web browser and Thunderbird email client.
The zero-day — CVE-2023-4863 — was reported as a heap buffer overflow in WebP that lets a remote attacker perform an out of bounds memory write via a crafted HTML page. While a CVSS score has not yet been assigned, NIST reported the flaw as critical.
In its advisory Sept. 12, Mozilla said they were aware of the zero-day being exploited in other products in the wild. The other products included Google’s Chrome browser, which was patched against this flaw on Monday of this week.
Mozilla thanked Apple Security Engineering and Architecture and The Citizen Lab at The University of Toronto's Munk School for bringing the zero-day to their attention.
The products fixed include the following: Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
Poornima DeBolle, co-founder and chief product officer at Menlo Security, said that managing browser vulnerabilities has become a “whack-a-mole” game for security teams. DeBolle said the same vulnerability is now affecting all major browsers: Chrome, Edge, Firefox, and Safari.
“Browsers are distributed and used all over organizations, making them a challenge to patch,” said DeBolle. “A single vulnerability in an open-source package is putting everyone at risk. Attackers know this and are finding more creative ways to exploit this weak link. As an industry, we need to talk more about new architectures that protect the browser and how we can improve cyber resilience for the web.”
Web browsers such as Firefox and Chrome are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets, said Patrick Tiquet, vice president, security and architecture at Keeper Security. Tiquet said compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser.
“Ensuring that web browsers are patched is a user or customer-organization responsibility,” said Tiquet. “If not maintained and patched, browsers can be a weak link in the security of any cloud-based service. Client web-browsers should be particularly concerning to cloud-services in this case because they are largely outside of the security controls of the cloud-service provider.”
