Source: securityboulevard.com – Author: Richi Jennings
Critical vuln in libwebp: Go get updates to Chrome, Firefox, Edge, Slack and more.
After Apple’s BLASTPASS patches, come a bunch of others—from Google, Microsoft, Mozilla and Slack. Exploits are in the wild. Expect more to come as the scale of the problem becomes clear.
The bug is in a Google image library that’s built in to all these apps (and many others). In today’s SB Blogwatch, we prepare for a week of carpal tunnel.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Damn you.
WebP FAIL
Where are we going? All aboard the Brian Krebs cycle—“Patch 0-Day Bugs”:
“CVE-2023-4863”
Google [says] an exploit for a heap overflow bug in Chrome is being exploited in the wild. … Interestingly, Google says this bug was reported by Apple and Citizen Lab.
…
Mozilla also has fixed zero-day flaw in Firefox and Thunderbird, and the Brave browser was updated as well. It appears the common theme here is any software that uses a code library called “libwebp.” … This vulnerability is being tracked as CVE-2023-4863.
Move fast and break things? Richard Speed is all about nominative determinism—“Chrome gets caught with its WebP down”:
“Could be a connection”
Google has rushed out a fix. [It] has followed Apple in hurriedly issuing an update in response to research from The Citizen Lab. … Google has updated the Stable and Extended channels for Chrome to 116.0.5845.187 for Mac and 116.0.5845.187/.188 for Windows.
…
As well as being natively supported in other Chromium browsers, such as Edge and Opera, WebP is used in several different tools and image editors. … While Google has been light on specifics, the credit given to the reporters … as well as the timing and type, indicates there could be a connection between this and the issue Apple patched.
Gory detail, please? Alex Ivanovs obliges—“Many apps, not just browsers, under threat”:
“BuildHuffmanTable”
So far the Web Browsers that have confirmed a fix and released an update include: Google Chrome, Mozilla Firefox, Brave, and Microsoft Edge. [But] this vulnerability doesn’t just affect web browsers, it affects any software that uses the libwebp library. This includes Electron-based applications, for example: Signal. … CVE-2023-4863 was falsely marked as Chrome-only by Mitre, [so] media reported this issue as “Chrome only”, when it’s not.
…
The root of the issue lies within the “BuildHuffmanTable” function. … The new version determined the maximum number of entries by counting symbols. However, because the Huffman tree comes from an untrusted source, situations could arise where the number of bits is excessively large [but] a fixed size was assumed, leading to potential overflows.
Don’t forget Slack. Update to “4.34.119”:
12 September 2023. This release includes security improvements. Updating is recommended. … Upgrading will provide users with security benefits.
Too many image formats? acdha urges caution:
This is why I’m more sympathetic to browser developers being slow to adopt new formats. WebP is a marginal advantage over JPEG … which hasn’t seen much success, but now that’s translated into multiple high-priority security holes and we’re all going to be spending the next month deploying patches everywhere.
…
That doesn’t mean we shouldn’t do new things but I think as developers we’re prone to underestimate the cost pretty heavily. … It always costs more than we anticipate.
Wait. Pause. “New” format? WebP is 13 years old! Here’s Richard Rabbat back in September 2010:
Most of the common image formats on the web today were established over a decade ago. … We are releasing a developer preview of a new image format, WebP, that promises to significantly reduce the byte size of photos on the web, allowing web sites to load faster.
…
We used an image compressor based on the VP8 codec that Google open-sourced in May. … We also adapted a very lightweight container based on RIFF.
Even so, DS999 sounds frustrated:
Too many image related exploits. … Maybe instead of worrying about compression ratio, the people designing image formats ought to ensure it can’t be exploited to … overrun buffers? The original spec for JPEG even provided sample software that claimed the buffer sizes used were the largest it could ever need. They weren’t.
…
Unfortunately the skill set for visual compression and the skill set for avoiding an exploitable spec don’t tend to have much overlap.
Meanwhile, what should we do? u/m_sniffles_esq simplifies:
Be sure to update (and don’t open any odd WebP images, just in case).
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2023/09/patch-everything-widely-used-webp-code-has-critical-bug/
Category & Tags: Analytics & Intelligence,API Security,Application Security,AppSec,Cloud Security,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Incident Response,Insider Threats,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Ransomware,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social Engineering,Software Supply Chain Security,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,Buffer Overflow,buffer overflow attack,Buffer Overflow Vulnerabilities,buffer overflows,Chrome,Chromium,edge,Electron,Exploitable Vulnerabilities,Firefox,google,Heap Overflow,libwebp,Open Source and Software Supply Chain Risks,open source software supply chain,open source software supply chain security,opera,SB Blogwatch,secure software supply chain,slack,software supply chain,software supply chain hygiene,software supply chain risk,Software Supply Chain risks,software supply chain security,Software Supply Chain Security Risks,thunderbird,WebP – Analytics & Intelligence,API Security,Application Security,AppSec,Cloud Security,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Incident Response,Insider Threats,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Ransomware,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social Engineering,Software Supply Chain Security,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,Buffer Overflow,buffer overflow attack,Buffer Overflow Vulnerabilities,buffer overflows,Chrome,Chromium,edge,Electron,Exploitable Vulnerabilities,Firefox,google,Heap Overflow,libwebp,Open Source and Software Supply Chain Risks,open source software supply chain,open source software supply chain security,opera,SB Blogwatch,secure software supply chain,slack,software supply chain,software supply chain hygiene,software supply chain risk,Software Supply Chain risks,software supply chain security,Software Supply Chain Security Risks,thunderbird,WebP
