After Google closed a 0-day gap on Monday with the update to Chrome 116.0.5845.188, most browser manufacturers have followed suit. Mozilla has released updates for Firefox and Thunderbird. Brave, Microsoft (Edge), Vivaldi and Opera also offer secured browser versions. The same vulnerability must be eliminated in all of them. It remains unclear for now whether there is a connection to the 0-day gaps in Apple systems.
Security researchers at Citizen Lab at the University of Toronto and at Apple have discovered a vulnerability (CVE-2023-4863) in the handling of manipulated WebP image files. Attackers can inject and execute arbitrary code using crafted WebP images in web pages or emails. According to Google, the vulnerability is already being exploited. Google developed the WebP format and Mozilla apparently also uses the vulnerable code from the open source program library libwebp in its software.
▶The latest security updates
Mozilla has therefore provided updates to Firefox 117.0.1, Firefox ESR 115.2.1 and Firefox ESR 102.15.1 as well as Thunderbird 115.2.2 and 102.15.1. Mozilla classifies the vulnerability as critical and points out in its security report that the vulnerability would be exploited “in other products”.
Update September 15th
An update to the new version 12.5.4 is available for the Tor Browser. It is based on Firefox ESR 102.15.1 and is therefore also secured. The developers have also updated OpenSSL to version 1.1.1w to fix a security vulnerability (CVE-2023-4807). End of update
The manufacturers of other Chromium-based browsers (Brave, Microsoft, Opera, Vivaldi) have also responded and are offering security updates. Use the browser’s integrated update functions.
Is there a connection to the Pegasus spyware?
Apple had already released the first security updates for iOS 16 and macOS Ventura on September 7th, followed by updates for older versions of the systems on September 11th. The reason is a finding by the Citizen Lab at the University of Toronto, according to which unknown actors are said to have secretly installed the notorious spyware Pegasus from the NSO Group on iPhones. To do this, they exploited a 0-day vulnerability (CVE-2023-41064) in Apple’s ImageIO component. This so-called “Blastpass” exploit is also said to work with prepared image files. It is still unclear whether there is a direct connection between the Apple gap and the browser gaps in Chrome, Firefox & Co.
Affected software at a glance:
| software | secured version | Chromium version |
|---|---|---|
| Chrome 117 | 117.0.5938.63 | 117.0.5938.63 |
| Chrome 116 | 116.0.5845.188 | 116.0.5845.188 |
| Brave 1.57 | 1.57.64 | 116.0.5845.188 |
| Brave 1.58 | 1,58,124 | 117.0.5938.62 |
| Microsoft Edge | 116.0.1938.81 | 116.0.5845.188 |
| Opera | 102.0.4880.51 | 116.0.5845.188 |
| Vivaldi | 6.2.3105.48 | 116.0.5845.195 |
| Firefox | 117.0.1 | – |
| Firefox ESR | 115.2.1 | – |
| Firefox ESR | 102.15.1 | – |
| Thunderbird | 115.2.2 | – |
| Thunderbird | 102.15.1 | – |
| Tor Browser | 12.5.4 | – |
