Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Mozilla Firefox Security

Mozilla Patches Firefox, Thunderbird Against Zero-Day Exploited in Attacks (bleepingcomputer.com) 15

Mozilla has released emergency security updates to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client. From a report: Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution. "Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild," Mozilla said in an advisory published on Tuesday. Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2. Even though specific details regarding the WebP flaw's exploitation in attacks remain undisclosed, this critical vulnerability is being abused in real-world scenarios.
This discussion has been archived. No new comments can be posted.

Mozilla Patches Firefox, Thunderbird Against Zero-Day Exploited in Attacks

Comments Filter:
  • Now I'll relax and wait a few days for the snap. Love me some snaps!
    • You know there is a Mozilla team PPA right?

      • You know there is a Mozilla team PPA right?

        Sure do. In real life that's what I use. Just trying to point out another, among many, shortcomings of snaps. I curate my Linux box carefully, so I don't run snaps. Inviting a giant gob of who knows what to live on my machine just isn't my cup of tea.

  • by serafean ( 4896143 ) on Wednesday September 13, 2023 @09:44AM (#63844878)

    my guess is : https://github.com/webmproject... [github.com]

    Use package managers, people... updating dynamically linked libwebp is easier than updating 10 different programs, and relying on 10 vendors to be proactive...

  • What are the odds this bug was intentionally put in there? Does that kind of thing ever happen?

    • Probably by University of Minnesota.

    • by cfalcon ( 779563 ) on Wednesday September 13, 2023 @10:50AM (#63845094)

      Of course it happens. But any given exploitable library is way more likely to be a bug and not some master plan.

      The more likely threat is that powerful actors in cyberspace become aware of these flaws and exploit them without being noticed, as NSO group has done over and over again. NSO group is not officially a state-level actor, but given their intelligence ties they may as well be- but unlike more traditional intelligence agencies, they used their zero days as something that could be sold to sketchy governments, to gain access to journalist's phones. So the users of an exploit may be intelligence agencies, strange pseudointelligence agencies like the NSO group, or just straight up criminals looking to steal bitcoin and such.

      There's no great and easy way to disable webp in firefox, but given that I don't like new image formats and try to disable them, I've been using:
      https://addons.mozilla.org/en-... [mozilla.org]
      However, I'm not convinced that webps still don't bleed through from time to time, and maybe this just pulls down a real image for saving purpose.

      Overall webp is an annoying spec for several reasons.
      1- Two entirely different specs under the hood. A png or gif is lossless, a jpg is lossy. A webp is either.
      2- Extremely low compatibility with websites. Nothing wants your webp.
      3- Pretty low compatibility with programs. Some things can move them around, but you're better off with a jpg, png, or gif.
      4- Difficult to disable as completely as you might want it to be
      5- Very low testing compared to older formats, huge risk profile even after this is fixed

      • Thank you for the reply, very informative

      • There's no great and easy way to disable webp in firefox,

        What about about:config "image.webp.enabled" = false
        ?

        • by cfalcon ( 779563 ) on Wednesday September 13, 2023 @01:14PM (#63845684)

          That 100% will make you immune to this vulnerability, but if a browser wants to send a webp (and does support non-webp formats), it will often just be like "welp here's a webp that I don't know how to load" instead of actually requesting the real image.

          If you have webp enabled and go here:
          https://developers.google.com/... [google.com]

          You'll see jpgs on the left and webp on the right.
          If you disable webp, you'll see jpgs on the left and nothing on the right. Which, if you want that, you're good to go.

      • Threre's a hell of a lot more wrong with WebP than that. There's multiple incompatible header styles for WebP depending on the version number. There are multiple data blocks in a file, and any one of them, not just the first block, can contain the image properties, so you have to scan the whole file just to determine which block has the data you want. Animated WebP files make this even more complicated, because each frame can have its own image properties, but they may not be uniform. Then, just to get

      • 3- Pretty low compatibility with programs. Some things can move them around, but you're better off with a jpg, png, or gif.

        I don't think your info is current. From what I see, I can use webp just fine in programs like Gimp or LibreOffice. Heck, even MS Paint can open webp.

    • Or how likely another application already has the context to run this overflow location for no apparent reason......

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...