Apply Urgent Update to Firefox and Thunderbird

This message is intended for U-M IT staff who are responsible for university devices running the Mozilla Firefox web browser or Thunderbird email client. It will also be of interest to individuals who have these programs installed on their own devices.

Summary

Mozilla has released an important update to the Firefox web browser and Thunderbird email client for a zero-day vulnerability that is being actively exploited in the wild. Update both as soon as possible.

Problem

Although there is no confirmation as of yet, an exploit could potentially enable a zero-click attack when visiting a website or opening a message containing a malicious image.

Threats

The vulnerability is being actively exploited in the wild.

Affected Versions

Versions of Firefox and Thunderbird prior to:

  • Firefox 117.0.1
  • Firefox ESR 102.15.1
  • Firefox ESR 115.2.1
  • Thunderbird 102.15.1 (for those using the 102 versions)
  • Thunderbird 115.2.2 (for those using the 115 versions)

Action Items

Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Update Firefox and Thunderbird to the latest version as soon as possible. MiWorkspace-managed machines are being updated and Mozilla is currently rolling out the new versions to personal devices.

Users need to relaunch the program or restart their computers after the update to begin using the new version:

  1. Find out your version: Go to Firefox or Thunderbird in the menu bar at the top of your screen and select About Firefox or About Thunderbird.
  2. The About window will open and alert you to the update(s) available. Click to install the update, and relaunch when prompted.
  3. Repeat this process to be sure that you have installed the necessary version. In some cases, you may need to install more than update to reach the desired version.
  4. You must update both Firefox and Thunderbird separately if both programs are installed.

Technical Details

The vulnerability (CVE-2023-4863) is a heap buffer overflow issue in the WebP image format. The vulnerability affects a number of popular programs, including Google Chrome.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues. Additionally:

  • ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation and provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References