UPDATE YOUR BROWSERS IMMEDIATELY. RCE VULNERABILITY DISCOVERED
NVD - CVE-2023-4863
Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.
This is way way wider than just browsers. Anything that can display webp images is vulnerable and that includes things like MS Teams and Twitch.
Further solidifying webp as the worst image format.
The current advisory is in webm (VP8 specifically). The webp one was 2 weeks ago. ...yeah, not a good time for web browsers lately...
(edit: noticed OP actually did link the webp one, I thought it'd be CVE-2023-5217 because that's being linked elsewhere)
It's the full disclosure of the ImageIO webp vuln from last week, this is the root cause.
idk. The post content was not in all caps, so I am not really sure about the urgency
AGAIN?
It's last week's big libwebp vulnerability again.
Edit: this underlying vuln is why last week's CVE was such a big deal, anything using webp is at risk including a whole big pile of electron apps that everyone uses.
oh >_>
Sorta. OP just linked the full disclosure of the libwebp vulnerability that made the news 2 weeks ago.
But there's an even more recent vulnerability in libvpx that was announced this week, that is similar in a lot of ways (including severity).
There's a more recent CVE as well for FF that was patched in 118.0.1: CVE-2023-5217: Heap buffer overflow in libvpx
What actual like platforms does this affect and to what extent tho? Like Mac (probably not iOS which is WebKit)?
I've read elsewhere it's actually a problem with libwebp not just chrome.
Basically, anything that relies on libwebp (ie can play libwebp) is vulnerable.
https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/
Discord, slack, MS Teams, Steam, pretty much anything. But most of them have already fixed it so if you let stuff update itself frequently, there's little risk.
Current Description
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Apple also released urgent out-of-band security patches for iOS and MacOS around the same time, and disclosed that it had something to o do with imag processing. Unclear whether they use libwebp or some other implementation, but they disclosed that it was being actively exploited on iPhones.
I read this as RICE vulnerability and was confused
Yeah, Linux boys would be mad
No, how could I be mad about the truth? We'd download and run any dotfiles if the screenshot looks nice enough.
Imma let you get to that soon but we all know RCE vulnerabillities really won the night here
What about webview-based browsers in android phones?
As far as I'm aware this does affect Android and is not currently fixed. It's expected to be fixed in the October security patch.
This is just my memory of reading weeks ago. Someone else may know better.
This isn't just a browser vulnerability. It's a vulnerability at a much more fundamental level, which is why it's so critical. It's a vulnerability in how almost every piece of software processes a widely supported image format, so anything that touches images is potentially at risk: browsers, chat or messaging apps, file browsers, or really anything that uses thumbnails or image previews, including some core OS functionality. On the server side, you've got anything that makes thumbnails and previews, too.
We should wait and see whether there are any practical attacks outside the browser context (maybe the malicious code needs to be placed in a web page that displays the malicious image file, or maybe they need to figure out a way to actually put all the malicious code in the image file itself). But the vulnerability itself is in a fundamental library used by a lot more software.
Not sure why you only mention Chromium and Firefox in the post text, I can only assume this vulnerability affects ALL browsers. Safari (WebKit based) is, as far as I know, the second most used browser in the world.
It's anything implementing .webp support. Though the CVE has been out for nearly two weeks already so most apps have been patched.
Actually, it’s specific to libwebp, but many things that decode webp just use this library (for example, decoding webp with the "image" rust crates doesn’t use libwebp. It does use it for encoding thought).
I found these alerts so hilarious.. You have no idea how many vulnerabilities are discovered by grey/blackhat hackers. Even whitehat working for the governments or contractors not reporting it to have more variety of back doors.
But ok.. Update and "be" protected. 🤣
Yes but this is a vulnerability now open to the public that script kiddies are going to utilize so unless you want your data grabbed by a 14yo larper for opening an image in your browser update your browser