Mozilla, CISA urge users to patch Firefox security flaw

Mozilla released an advisory this week warning users of a vulnerability affecting its popular web browser and email client.

Exploitation of the bug would allow a hacker to take control of an affected system, officials at the Cybersecurity and Infrastructure Security Agency (CISA) said in their own notice.

Tagged as CVE-2023-4863, the vulnerability was discovered by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto, according to Mozilla.

Mozilla rated the vulnerability critical and said it is aware of it being exploited in other products in the wild. The company addressed the issue in patches to its Firefox, Firefox ESR and Thunderbird products.

The issue pertains to the WebP code library, which is used by multiple browsers and image editors.

Google – which released a patch addressing the bug for its Chrome browser – said it is also aware that an exploit for CVE-2023-4863 exists in the wild. Microsoft published its own advisory about it, noting that it affects the Microsoft Edge browser.

Little information was provided about how it is being exploited, but CISA added the bug to its known exploited vulnerabilities list on Wednesday, giving federal civilian agencies until October 4 to patch it.

Menlo Security co-founder Poornima DeBolle said the issue affects all of the major browsers and is an example of why vulnerabilities affecting browsers can often be a “whack-a-mole game for security teams.”

“Browsers are distributed and used all over organizations, making them a challenge to patch. A single vulnerability in an open source package is putting everyone at risk. Attackers know this and are finding more creative ways to exploit this weak link,” DeBolle said.

Several experts said the fact that the vulnerability was discovered by Citizen Lab indicated that it may be tied to two zero-click exploits disclosed last week known as “BlastPass.”

One bug, tracked as CVE-2023-41064, allowed devices — including some iPhones, iPads, Macs, and Apple Watches — to become vulnerable to attack when processing “a maliciously crafted image,” Apple said. It affects the Image I/O framework, specifically.

Citizen Lab did not respond to requests for comment about whether CVE-2023-4863 was tied to the BlastPass findings.