Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Chrome, Firefox and more caught with their WebP down, offer hasty patch-up

Exploit observed in the wild against codec lib in browsers, apps

Richard Speed Tue 12 Sep 2023  //  15:00 UTC

Updated Google and Mozilla have rushed out a fix for a vulnerability within their browsers – Chrome and Firefox, respectively – noting an exploit already exists in the wild.

The web search giant on Tuesday hurriedly issued an update for its software in response to research by Citizen Lab at the University of Toronto's Munk School. Google also credited the Apple Security Engineering and Architecture (SEAR) team for discovering and reporting the security hole.

Likewise for Moz, which also on Tuesday issued an advisory and updates for its browser and email client.

The critical vulnerability, CVE-2023-4863, is a heap buffer overflow in libwebp, a Google-developed open source library that processes WebP images. Basically, any application – such as Chrome, Edge, or Firefox – that utilizes this library to display WebP images can be potentially hijacked by a carefully crafted picture.

We're told an exploit for this flaw already exists out in the wild, and is being used against some targets. Mozilla, for what it's worth, indicated those targets do not include Firefox, for now.

WebP, according to Google, "is a modern image format that provides superior lossless and lossy compression for images on the web." Sadly, it also appears to be a boon for malware distributors.

Google has updated the Stable and Extended channels for Chrome to 116.0.5845.187 for Mac and 116.0.5845.187/.188 for Windows. The Extended Stable channel will roll out over the coming days or weeks. Moz, meanwhile, patched the hole in Firefox 117.0.1, Thunderbird 115.2.2, and other editions of its gear.

As well as being used in other Chromium browsers, such as Edge and Opera, libwebp is included in several different tools and image editors. We expect to see patches for those browsers and programs, too.

Other than acknowledging that an exploit for the libwebp vulnerability already exists in the wild, Google was tight-lipped regarding the specifics, saying only: "Access to bug details and links may be kept restricted until a majority of users are updated with a fix."

It added: "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven't yet fixed."

Tarquin Wilton-Jones, of Chromium-based browser maker Vivaldi, told The Register: “Vivaldi tracks Chromium updates very closely, and for security fixes, either the update or a patch is taken in, and released as soon as possible, sometimes within a couple of days, sometimes even the same day.”

He added: “A fix has been included for this particular issue in the most recent Vivaldi update.”

An exploit of a buffer overflow tends to result in a crash or the execution of arbitrary code. Last week, Apple dealt with two issues: CVE-2023-41061 and CVE-2023-41064. The latter, reported by Citizen Lab, was also a buffer overflow issue in an image-processing component. Citizen Lab referred to an exploit for CVE-2023-41064 as BLASTPASS, which required no interaction from a victim for NSO's Pegasus spyware to be downloaded and run upon receipt of a malicious image.

While Google has been light on specifics, the credit given to the reporters of CVE-2023-4863, as well as the timing and type, indicates there could be a connection between this and the issues Apple patched last week.

Either way, with an exploit already out in the wild, validating and applying patches when they become available would appear to be the prudent approach. ®

Updated to add

This story was revised to include details of Mozilla's patches for Firefox. Given the widespread use of libwebp in applications, look out for patches for your software of choice to close this hole: Microsoft Edge, Vivaldi, Brave's browser, and Electron-based apps should have updates coming soon if not already.
Send us news
10 Comments

US senator claims Google and Apple reveal push notification data to foreign govs

Cupertino promises to reveal its data deliveries, ending silence on the matter

Uh-oh, update Google Chrome – exploit already out there for one of these 6 security holes

Plus: 3 critical CVEs in Zyxel NAS devices

Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Two CVEs can be abused to steal sensitive info or execute code

Google launches Gemini AI systems, claims it's beating OpenAI and others - mostly

Gemini accepts text, images, audio, and video and comes in three flavors

Google releases fix for missing Drive for desktop files

Just install the latest client and follow the instructions, but don't ask questions

Either the FBI is recruiting in Iran – or some govt Google ad buyers are getting a lousy deal

Advertisers may be surprised to find where their banners appear

Goldman sacked: Apple 'wants out' of credit card collab

Don't be too shocked: Financial giant has been fleeing normie banking lately after failing to find footing

Google unveils TPU v5p pods to accelerate AI training

Need a lot of compute? How does 8,960 TPUs sound?

Time to take action: Google's inactive account purge begins Friday

You should've received an email if you're affected, but here's a reminder just in case

The 15-inch MacBook Air just nails it

Vast battery life, zippy performance, and rich speakers make an impressive package

Google's Project Ellman: Merging photo and search data to create digital twin chatbot

'This is a brainstorming concept a team is at the early stages of exploring'

Steve Jobs' $4.01 RadioShack check set to fetch small fortune at auction

Talk about inflation – bids are now closing in on $30K