Critical zero-day vulnerabilities were just found in Google Chrome and Mozilla’s Firefox, Firefox ESR, and Thunderbird browsers.
Researchers with Apple’s Security Engineering and Architecture (SEAR) team and The Citizen Lab at The University of Torontoʼs Munk School identified the vulnerability as CVE-2023-4863. Their discovery prevents a future catastrophe.
The same vulnerability affected both companies, prompting immediate responses from both.
So far we know that the vulnerability stemmed from a heap buffer overflow issue that changes the way WebP images are loaded. A heap buffer overflow, put simply, is an accidental overflow of data that can result in the data from one heap corrupting the data in the overflowing heap or rewriting its internal processes.
Hackers could theoretically exploit this vulnerability to make changes to Google and Mozilla’s internal security systems, hence why it was labeled as critical.
“Google is aware that an exploit for CVE-2023-4863 exists in the wild,” reads Google’s chilling advisory warning.
There’s very little to speculate on, since neither company released any information about how criminals may have been abusing the exploit
Mozilla and Google both released an emergency security patch for their affected products after researchers brought it to their attention. Mozilla released Firefox 117.0.1, Firefox ESR 102.15.1, Firefox ESR 115.2.1, Thunderbird 115.2.2, and Thunderbird 102.15.1. Google released 116.0.5845.187 for Mac and Linux users and 116.0.5845.187/.188 for Windows users.
“We would also like to thank all security researchers who worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said the tech giant.
It’s important to double-check the current version of your web browser and make sure it’s updated with the newest security patch. Older versions of Google and Mozilla browsers will still be vulnerable to this exploit.