Mozilla patches critical WebP security issue in Firefox and Thunderbird
Mozilla has released security updates for all supported versions of its Firefox web browser as well as for the email client Thunderbird. The updates address a critical security issue in WebP that is exploited in the wild.
The products are affected by the same critical security issue that Google Chrome and Chromium-based browsers are affected by. Google released a security update for Chrome on the same day to patch the vulnerability.
Firefox users are advised to update the browser immediately to the new version. WebP is an image format that is used widely on the Internet. Mozilla notes that opening a malicious WebP image could "lead to a buffer overflow in the content process", which can result in the execution of malicious code on the user's system.
The updates are available already. Firefox users may select Menu > Help > About Firefox to display the current version and get the latest update. Thunderbird users may select Menu > Help > About Thunderbird to do the same. The latest versions are the following ones after the installation of the update:
- Firefox 117.0.1 Stable
- Firefox 115.2.1 ESR
- Firefox 102.15.1 ESR
- Thunderbird 115.2.2
- Thunderbird 102.15.1
Firefox 117.0.1 is not only a security update, as it addresses a number of issues in the open source web browser as well. Two bugs that affect the opening of links are addressed in the release. The first caused the "reopen all tabs" option of the recently closed tabs menu to fail to open all the tabs sometimes. The second saw links activated outside Firefox on macOS not being opened in Firefox sometimes.
Another fix addresses an issue that affected extensions. Sometimes, extensions would be terminated while still running. This could happen when the extensions used "an event page for long-running tasks".
Mozilla reverted on change temporarily. The change prevents JavaScript from changing the URL protocol. Mozilla plans to roll it out at a later point.
The other fixes address a bookmarks menu visibility issue, a time zone detection issue on some sites, and an issue with audio worklets not working on sites that use WebAssembly exception handling.
You can check out the full Firefox 117.0.1 release notes and the security advisory here.
Except all other browsers that support the image format to be affected by the WebP security issue as well. Most have or will release security updates to address the issue.
Now You: how often do you see WebP images on the web?
