Mozilla has released a security update to address a critical zero-day vulnerability in Firefox and Thunderbird. This vulnerability was actively exploited in the wild and was patched by Google in their Chrome browser the day before.
The vulnerability, known as CVE-2023-4863, involves a heap buffer overflow that can allow arbitrary code execution when opening a specially crafted Webp image. An attacker could exploit this flaw to achieve remote code execution by tricking a user into visiting a malicious HTML page.
The security issue was initially reported by Apple Security Engineering and Architecture (SEAR) and Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto. Mozilla has resolved the problem in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.
In addition, the US Cybersecurity and Infrastructure Security Agency (CISA) recently added a critical vulnerability, CVE-2023-33246, affecting Apache Rocketmq to its list of well-known exploited vulnerabilities. This vulnerability, with a CVSS score of 9.8, allows attackers to execute arbitrary commands on the affected system, potentially leading to unauthorized access or control. Exploitation can occur through the configuration update function or by tampering with the RocketMQ protocol.
Furthermore, in early September, a serious security vulnerability in the ATLASVPN client for Linux was discovered and shared on Reddit. A cybersecurity researcher, who chose to remain anonymous, published a proof-of-concept exploit demonstrating how an attacker could obtain a user’s real IP address by luring them to a malicious website hosting exploit code targeting the Linux version of the VPN client.