ALERT: Apply Urgent Update to Firefox and Thunderbird

Mozilla has released an important update to the Firefox web browser and Thunderbird email client for a zero-day vulnerability that is being actively exploited in the wild. Update both as soon as possible.

Although there is no confirmation as of yet, an exploit could potentially enable a zero-click attack when visiting a website or opening a message containing a malicious image.

The vulnerability is being actively exploited in the wild.

Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Update Firefox and Thunderbird to the latest version as soon as possible. MiWorkspace-managed machines are being updated and Mozilla is currently rolling out the new versions to personal devices.

Users need to relaunch the program or restart their computers after the update to begin using the new version:

1. Find out your version: Go to Firefox or Thunderbird in the menu bar at the top of your screen and select About Firefox or About Thunderbird.
2. The About window will open and alert you to the update(s) available. Click to install the update, and relaunch when prompted.
3. Repeat this process to be sure that you have installed the necessary version. In some cases, you may need to install more than update to reach the desired version.
4. You must update both Firefox and Thunderbird separately if both programs are installed.

The vulnerability (CVE-2023-4863) is a heap buffer overflow issue in the WebP image format. The vulnerability affects a number of popular programs, including Google Chrome.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues. Additionally:

• ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
• IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation and provides vulnerability management guidance to the university.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Please contact ITS Information Assurance through the ITS Service Center.

• Mozilla Foundation Security Advisory 2023-40 (Mozilla, 9/13/23)
• Critical WebP bug: many apps, not just browsers, under threat (StackDiary, 9/13/23)
• CVE-2023-4863 (National Vulnerability Database, 9/9/23)