For the second time this month, Mozilla has to patch a 0-day vulnerability in Firefox that initially seemed to affect only Chrome and its derivatives. The vulnerability CVE-2023-5217 in the libvpx program library is already being used to attack Chrome users. Google released an emergency update for Chrome on September 27 to fix the exploit. The following day, Mozilla followed suit with updates to Firefox 118.0.1 and Firefox ESR 115.3.1. The vulnerability has also been fixed in Firefox for Android 118.1.0.
The open source libvpx library is used to encode videos. CVE-2023-5217 is a buffer overflow in libvpx when encoding videos in VP8 format. If an attacker exploits this vulnerability, injected malicious code can be executed. To do this, he could embed a prepared video in any web page and lure potential victims to the page, with a link in an email or via a messenger app for example.
Although no such attacks on Firefox are known at present, only Chrome, all Firefox users should immediately install the available update. To do so, go to Help > About Firefox in the ≡ menu and follow the instructions. Mozilla classifies this vulnerability as critical in its security report .
On September 29, the Tor Project updated its browser to fix the 0-day vulnerability. For Tor Browser 12.5.6, the developers backported the corresponding security patch from Firefox ESR 115.3.1 to the old browser base, because Tor Browser 12.5.x is still based on Firefox ESR 102.15.
Also on September 29, Mozilla subsidiary MZLA Technologies provided a security update for Thunderbird. In Thunderbird 115.3.1, the developers have fixed the 0-day vulnerability CVE-2023-5217 – and a few more bugs.
A bad month for browser security
The libvpx program library was originally developed by On2 Technologies, a company specializing in video codecs, which Google acquired in 2010. Google subsequently released the software as open source. It supports the VP8 and VP9 video formats. Many open source projects use such standard libraries, some of which are also regarded as reference implementations.
Google already provided an emergency update for Chrome in mid-September to close another critical 0-day vulnerability in the browser. Vulnerability CVE-2023-4863 in the open-source libwebp program library can be exploited with crafted image files in WebP format. This program library is also used in Firefox, which released an emergency patch of its own. In the meantime, it has emerged that a large number of other programs whose developers use the WebP library may also affected. For example, Gimp, LibreOffice, Telegram, 1Password, and many others are potentially vulnerable.
The next few days will show whether such a debacle will be repeated with the CVE-2023-5217 vulnerability in the libvpx program library. For example, the popular VLC media player also uses libvpx, as do other open source media players and video converters such as MPlayer or Handbrake.
This article was translated from German to English and originally appeared on pcwelt.de.