• Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks


    “Mozilla released emergency security updates today to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client.

    “Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution.

    “Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild,” Mozilla said in an advisory published on Tuesday.

    Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.”



    I noticed that their repeated calls that “102 will the last version to be supported,”  means that 102 will still get security updates, at least for a month. (Anyone with further clarity on this welcome. ) This is good, as many (myself included) got a look at 115, knew horror, and stuck with 102. Too new, too many glitches and griping/howling from users heard.

    Also, T-bird keeps ping-ponging between offering updates to 102 and the new 115…weird. Is there smoke coming from the engine room at Mozilla?


    Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
    "Windows Update? Bah! I could carve a better ecosystem out of a banana!" -Jamrach Holobom

    6 users thanked author for this post.
    Viewing 2 reply threads
    • #2587387

      I’m going to guess that this vulnerability is deep enough within the shared code base used by Firefox and Tbird that fixing the problem makes it relatively easy to deploy to all currently supported versions with a point release.

      I know I’ll have to suck it up and migrate to the newest 115.x release of Thunderbird (or a whole different email program) someday, but it’s not going to happen for at least a month or two for me. Too many critically important projects happening right now to be slowed down and annoyed by a new and potentially buggy new UI.

      I’ve seen a decent number of fixes released for the new version 115, so hopefully many of the bugs are squashed before I get around to migrating.

      I suspect user resistance and ongoing improvements to the new version are factors in the decision to keep slinging updates to 102.

    • #2587594

      though Firefox ESR 102 goes “EOL” around end of September 2023 when FF ESR 115.3 comes out by then (that will be the only ESR release).

    • #2587899

      (just to add supporting details for the uninitiated)
      Per the following link (which is officially maintained by Mozilla AFAICT), Firefox 115 takes over as the sole ESR release on September 26 (UTC).

      Firefox 115 is also the last ESR channel that supports Windows 7 and 8.1, with the final release (115.15) on September 3, 2024.

      The following link may also be of interest to those curious about the specific dates of upcoming Firefox releases:

      1 user thanked author for this post.
    Viewing 2 reply threads
    Reply To: Mozilla patches Firefox, Thunderbird against zero-day exploited in attacks

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: