Tor Browser, Tails Issued Patches for WebP Critical Zero-Day Exploit Affecting All Major Browsers
Microsoft Edge, Mozilla Firefox, Google Chrome, Apple's Safari, as well as most other popular browsers have all released patches for CVE-2023-4863.
- Google Chrome, Microsoft Edge, Mozilla Firefox and Apple’s Safari browser have all been impacted by a single zero-day vulnerability tracked as CVE-2023-4863, which is caused by a heap buffer overflow in the WebP code library.
- "Opening a malicious WebP image could lead to a heap buffer overflow in the content process," Mozilla said. Once exploited it can lead to system crashes and arbitrary code execution, allowing a remote attacker to perform an out-of-bounds memory write through a malicious WebP image.
- "Attacks appear to be limited to Google Chrome for now; Mozilla's advisory said the company was "aware of this issue being exploited in other products in the wild."
“Since many browsers, including Microsoft Edge, Brave, Opera, and Vivaldi are built on the Chromium platform, the same platform that Chrome is based on, this could affect their users as well. The same risk is also applicable for Firefox browser clones,” said Chris Hauk, consumer privacy advocate at Pixel Privacy.
- CVE-2023-4863 was first identified by researchers at The Citizen Lab, a research arm of the University of Toronto on September 6, 2023.
Tor Browser v12.5.4
- "Tor Browser 12.5.4 is now available from the Tor Browser download page and also from our distribution directory."
- "This release updates Firefox and GeckoView to 102.15.1esr and fixes CVE-2023-4863: Heap buffer overflow in libwebp."
Tails v5.17.1
- This release is an emergency release to fix a critical vulnerability in Tor Browser.
TechTarget Article / Archive
Tor Blog Post / Archive
Tails Blog Post / Archive