[ad_1]
For the second time this month, Mozilla has to patch a 0-day vulnerability in Firefox that originally appeared to have an effect on solely Chrome and its derivatives. The vulnerability CVE-2023-5217 within the libvpx program library is already getting used to assault Chrome customers. Google launched an emergency replace for Chrome on September 27 to repair the exploit. The following day, Mozilla adopted swimsuit with updates to Firefox 118.0.1 and Firefox ESR 115.3.1. The vulnerability has additionally been fastened in Firefox for Android 118.1.0.
The open supply libvpx library is used to encode movies. CVE-2023-5217 is a buffer overflow in libvpx when encoding movies in VP8 format. If an attacker exploits this vulnerability, injected malicious code could be executed. To do that, he may embed a ready video in any net web page and lure potential victims to the web page, with a hyperlink in an e-mail or through a messenger app for instance.
Although no such assaults on Firefox are recognized at current, solely Chrome, all Firefox customers ought to instantly set up the obtainable replace. To achieve this, go to Help > About Firefox within the ≡ menu and observe the directions. Mozilla classifies this vulnerability as important in its security report .
On September 29, the Tor Project updated its browser to repair the 0-day vulnerability. For Tor Browser 12.5.6, the builders backported the corresponding safety patch from Firefox ESR 115.3.1 to the outdated browser base, as a result of Tor Browser 12.5.x remains to be primarily based on Firefox ESR 102.15.
Also on September 29, Mozilla subsidiary MZLA Technologies supplied a safety replace for Thunderbird. In Thunderbird 115.3.1, the builders have fastened the 0-day vulnerability CVE-2023-5217 – and some extra bugs.
A nasty month for browser safety
The libvpx program library was initially developed by On2 Technologies, an organization specializing in video codecs, which Google acquired in 2010. Google subsequently launched the software program as open supply. It helps the VP8 and VP9 video codecs. Many open supply initiatives use such normal libraries, a few of that are additionally thought to be reference implementations.
Google already supplied an emergency replace for Chrome in mid-September to shut one other important 0-day vulnerability within the browser. Vulnerability CVE-2023-4863 within the open-source libwebp program library could be exploited with crafted picture recordsdata in WebP format. This program library can be utilized in Firefox, which launched an emergency patch of its personal. In the meantime, it has emerged that numerous different applications whose builders use the WebP library may also affected. For instance, Gimp, LibreOffice, Telegram, 1Password, and plenty of others are doubtlessly weak.
The subsequent few days will present whether or not such a debacle shall be repeated with the CVE-2023-5217 vulnerability within the libvpx program library. For instance, the favored VLC media participant additionally makes use of libvpx, as do different open supply media gamers and video converters equivalent to MPlayer or Handbrake.
This article was translated from German to English and initially appeared on pcwelt.de.
[adinserter block=”4″]
[ad_2]
Source link