Arbitrary Code Execution Vulnerability in Google Chrome, Firefox web browsers & Thunderbird Email Client (CVE-2023-4863)

A zero-day arbitrary code execution vulnerability (CVE-2023-4863) was identified in Google Chrome, Firefox web browsers and Thunderbird email client recently and being actively exploited in the wild.  The vulnerability enables a heap buffer overflow that resides in the WebP image format to result in arbitrary code execution or a crash.  Users are urged to apply the latest patch immediately to mitigate any potential threats.

Vulnerability

• Arbitrary Code Execution Vulnerability (CVE-2023-4863)

Severity Level

• Critical

Affected versions

• Google Chrome prior to 116.0.5845.187/.188 (Windows)
• Google Chrome prior to 116.0.5845.187 (Linux/Mac)
• Google Chrome prior to 117.0.5938.60 (Android)
• Firefox prior to 117.0.1,
• Firefox prior to ESR 102.15.1, 115.2.1
• Thunderbird prior to 102.15.1, 115.2.2

Remediation

• Update the Google Chrome, Firefox and Thunderbird to the latest version ASAP.

Reference

• Google Chrome Remote Code Execution Vulnerability
• Mozilla Products Remote Code Execution Vulnerability
• Security Vulnerability fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 — Mozilla
• NVD – CVE-2023-4863 (nist.gov)

Enquiry

• ITSC Service Desk: http://servicedesk.itsc.cuhk.edu.hk

Published on: 14 Sep 2023