Mozilla has urgently released security updates to address a critical zero-day vulnerability that has been actively exploited. This vulnerability affects both the Firefox web browser and the Thunderbird email client. The issue, identified as CVE-2023-4863, stems from a heap buffer overflow in the WebP code library (libwebp). Its consequences range from causing crashes to potentially allowing unauthorized code execution.

Mozilla has acknowledged instances where this vulnerability has been exploited in various products. To mitigate this risk, they have issued updates for Firefox versions 117.0.1, Firefox ESR versions 115.2.1 and 102.15.1, as well as Thunderbird versions 102.15.1 and 115.2.2.

While specific details about the exploitation of the WebP flaw are not disclosed, it is confirmed that this critical vulnerability has been used in real-world attacks. Therefore, it is strongly recommended that users promptly install the updated versions of Firefox and Thunderbird to protect their systems.

Mozilla’s security advisory also reveals that this zero-day vulnerability, CVE-2023-4863, affects other software using the vulnerable version of the WebP code library. This includes the Google Chrome web browser, which received a patch for this issue on Monday. Google has warned of the existence of an exploit for CVE-2023-4863 in the wild. The Chrome security updates are being gradually deployed to users in the Stable and Extended stable channels and are expected to reach all users in the coming days or weeks.