{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-066.pdf"
    },
    "title": "Mozilla Firefox and Thunderbird Zero-Day Vulnerability",
    "serial_number": "2023-066",
    "publish_date": "14-09-2023 16:26:54",
    "description": "On September 12, 2023, Mozilla released an emergency security update that addresses a zero-day vulnerability, which has been exploited in the wild. The vulnerability impacts its Firefox web browser and Thunderbird email client and is being tracked as CVE-2023-4863. The issue is being exploited in the wild.<br>\n[Update] Please note that this vulnerability also impacts other browsers and any software that uses the affected \"libwebp\" library. CERT-EU strongly advises users to promptly update to the fixed versions for all affected software.<br>\n",
    "url_title": "2023-066",
    "content_markdown": "---\ntitle: 'Mozilla Firefox and Thunderbird Zero-Day\u00a0Vulnerability' \nversion: '1.1'\nnumber: '2023-066'\noriginal_date: 'September 12, 2023'\ndate: 'September 14, 2023'\n---\n\n_History:_\n\n* _13/09/2023 --- v1.0 -- Initial publication_\n* _14/09/2023 --- v1.1 -- Additional information related to impacted browsers_\n\n# Summary\n\nOn September 12, 2023, Mozilla released an emergency security update that addresses a zero-day vulnerability, which has been exploited in the wild. The vulnerability impacts its Firefox web browser and Thunderbird email client and is being tracked as CVE-2023-4863. The issue is being exploited in the wild [1].\n\n**[Update]** Please note that this vulnerability also impacts other browsers and any software that uses the affected `libwebp` library. CERT-EU strongly advises users to promptly update to the fixed versions for all affected software.\n\n# Technical Details\n\nThe vulnerability is caused by a heap buffer overflow in the WebP code library (`libwebp`). This flaw allows for arbitrary code execution or can cause the browser to crash. \n\nThe CVSS score for other related vulnerabilities is between 8.8 and 9.6, indicating a critical level of severity [1].\n\n# **[Update]** Affected Products\n\n- The following Mozilla products are affected from this flaw:\n    - Firefox versions prior to 117.0.1\n    - Firefox ESR versions prior to 115.2.1\n    - Firefox ESR versions prior to 102.15.1\n    - Thunderbird versions prior to 102.15.1\n    - Thunderbird versions prior to 115.2.2\n- Any software that uses the `libwebp` library (e.g. Signal, Telegram, 1Password for Mac, and many Android applications).\n \n# **[Update]** Recommendations\n\nIt is strongly advised to update to the fixed versions, if a patch is available.\n\n- For Mozilla:\n    - Firefox 117.0.1\n    - Firefox ESR 115.2.1\n    - Firefox ESR 102.15.1\n    - Thunderbird 102.15.1\n    - Thunderbird 115.2.2\n- For any other software affected from this vulnerability, apply the fixes when they become available.\n\n# References\n\n[1] <https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>13/09/2023 --- v1.0 -- Initial publication</em></li><li><em>14/09/2023 --- v1.1 -- Additional information related to impacted browsers</em></li></ul><h2 id=\"summary\">Summary</h2><p>On September 12, 2023, Mozilla released an emergency security update that addresses a zero-day vulnerability, which has been exploited in the wild. The vulnerability impacts its Firefox web browser and Thunderbird email client and is being tracked as CVE-2023-4863. The issue is being exploited in the wild [1].</p><p><strong>[Update]</strong> Please note that this vulnerability also impacts other browsers and any software that uses the affected <code>libwebp</code> library. CERT-EU strongly advises users to promptly update to the fixed versions for all affected software.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability is caused by a heap buffer overflow in the WebP code library (<code>libwebp</code>). This flaw allows for arbitrary code execution or can cause the browser to crash. </p><p>The CVSS score for other related vulnerabilities is between 8.8 and 9.6, indicating a critical level of severity [1].</p><h2 id=\"update-affected-products\"><strong>[Update]</strong> Affected Products</h2><ul><li>The following Mozilla products are affected from this flaw: <ul><li>Firefox versions prior to 117.0.1</li><li>Firefox ESR versions prior to 115.2.1</li><li>Firefox ESR versions prior to 102.15.1</li><li>Thunderbird versions prior to 102.15.1</li><li>Thunderbird versions prior to 115.2.2</li></ul></li><li>Any software that uses the <code>libwebp</code> library (e.g. Signal, Telegram, 1Password for Mac, and many Android applications).</li></ul><h2 id=\"update-recommendations\"><strong>[Update]</strong> Recommendations</h2><p>It is strongly advised to update to the fixed versions, if a patch is available.</p><ul><li>For Mozilla: <ul><li>Firefox 117.0.1</li><li>Firefox ESR 115.2.1</li><li>Firefox ESR 102.15.1</li><li>Thunderbird 102.15.1</li><li>Thunderbird 115.2.2</li></ul></li><li>For any other software affected from this vulnerability, apply the fixes when they become available.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/\">https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}