Vulnerabilities in popular browsers and applications can have catastrophic consequences, including extensive downtime and system compromise, if impacted users do not promptly patch them. We want to alert you of a critical, actively exploited zero-day vulnerability in Firefox and Thunderbird (CVE-2023-4863) that is among the most severe we have seen in a long time.

This flaw could allow a remote attacker to execute arbitrary code to gain control over an impacted device if left unpatched. But stay calm, cool, and collected. As LinuxSecurity.com Content Editor, I'm here to help protect your security and productivity. Read on to ensure your systems are updated and secure.

We also have other significant discoveries and fixes for you, including mitigations for a critical buffer overflow vulnerability in c-ares that could allow an attacker to execute arbitrary code or cause a denial of service condition. It's crucial that you stay up-to-date on these issues to safeguard your system from any potential harm. 

Did you find today’s newsletter informative and helpful? If so, please pay it forward and share it with a fellow security geek to help ensure their systems are secure from these dangerous vulnerabilities. We also welcome feedback on how we could improve our newsletters or our site. If you have any comments or suggestions, please share them with us. Have a Linux security-related topic you'd like to cover for our audience? We welcome contributions from insightful and passionate community members who share our enthusiasm for Linux security!

Stay safe out there,

Brittany Signature 150 Esm W150

Firefox

The Discovery 

A critical zero-day vulnerability that has been exploited in the wild was discovered in Firefox. This severe bug, CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format. 

Firefox Esm W220

The Impact

This flaw could allow a remote attacker to execute arbitrary code when processing a specially crafted image.

The Fix

Mozilla has released essential updates for Firefox that mitigate this critical issue. We strongly recommend that all impacted users apply these updates immediately to protect against exploits leading to crashes and system compromise.

Your Related Advisories:

[distro_list_1]

Thunderbird

The Discovery 

It was discovered that Thunderbird is also impacted by the previously mentioned heap buffer overflow vulnerability in the WebP image format (CVE-2023-4863). This bug has received a severity rating of “Critical”.

Thunderbird Esm W226

The Impact

This flaw could allow a remote attacker to execute arbitrary code to gain control over an impacted device.

The Fix

Thunderbird has addressed this issue with an important security update. We strongly encourage all impacted users to apply these updates immediately to protect against crashes and prevent malicious hackers from hijacking their critical systems.

Your Related Advisories:

[distro_list_2]

c-ares

The Discovery 

A critical buffer overflow vulnerability has been found in c-ares before 1_16_1 thru 1_17_0 via the function ares_parse_soa_reply in ares_parse_soa_reply.c (CVE-2020-22217). Due to how simple this bug is to exploit and its significant threat to impacted systems' confidentiality, integrity, and availability, it has received a National Vulnerability Database base score of 9.8 out of 10 (“Critical” severity). But don't panic just yet! 

C Ares Esm W400

The Impact

Exploitation of this flaw could allow an attacker to execute arbitrary code or cause a denial of service (DoS) condition.

The Fix

A crucial c-ares security update has been released to fix this severe flaw. We urge all impacted users to update as soon as possible to prevent attacks potentially resulting in inconvenient, costly downtime and system compromise.

Your Related Advisories:

[distro_list_3]