There is a new critical security issue that affects web browsers as well as other software that use something called libwebp. This feels a whole lot like the LOG4J vulnerability because libwebp is not an application you can see, but rather an embedded module in other applications.
The immediate action is for you to update all your web browsers to current levels. Hopefully, all your browsers are set to auto-update. (If you need help getting your browsers to auto-update, please reach out to us).
Then we have to wait to understand what vendors disclose that they are using this software module and promptly update those applications.
This is likely to go on for a while as we all understand how big of an issue this is beyond the obvious web browsers. We will share more information as we receive it.
Below is a more detailed description. If you have any questions, please let us know.
Here are the details:
We’re contacting you about a critical zero-day security vulnerability for libwebp (CVE-2023-5129), which is utilized by many common software programs, such as Google Chrome, Mozilla Firefox, Apple Safari, 1Password, Signal, WhatsApp, and many others.
This vulnerability allows attackers to craft malicious WebP images, and when victims open these images, the attackers can execute arbitrary code and access sensitive user data. In short, simply viewing an image can lead to a person being hacked.
CVE-2023-5129 is a critical zero-day vulnerability recently disclosed in the libwebp library, which poses significant security risks across numerous software applications and platforms. Initially reported as CVE-2023-4863, the flaw was found in the lossless compression component of the open-source libwebp library, which is responsible for encoding and decoding WebP format images.
Specifically, CVE-2023-5129 is a heap buffer overflow issue within the Huffman coding algorithm used for lossless compression in WebP. This vulnerability allows attackers to craft malicious WebP images, and when victims open these images, the attackers can execute arbitrary code and access sensitive user data.
How Bad is This?
Heap buffer overflow vulnerabilities, such as CVE-2023-5129, are critically severe, providing attackers with the capability to execute malicious code or gain unauthorized access to systems. This not only opens the door for potential system control but also data theft and malware introduction. Google has confirmed the existence of an exploit for CVE-2023-4863 in the wild, heightening the urgency and significance of addressing this security issue promptly.
The libwebp library, which is extensively integrated into various applications and platforms, has widened the exposure and potential impact of CVE-2023-5129 considerably. The vulnerability is not restricted to affecting web browsers solely; it extends its perilous influence to any software reliant on the libwebp library. Consequently, a multitude of applications and systems operating on Linux, Android, Windows, macOS, and other platforms are under imminent threat, which underscores the necessity of immediate and vigilant protective measures.
How to Protect Yourself
Users and administrators should urgently:
Update all software that uses the libwebp library to the latest version. This includes browsers like Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and other applications like 1Password, Signal, and WhatsApp, among many others.
Developers and organizations that rely on the libwebp library should prioritize updating to the patched versions to protect their users. As a user, ensure your system and applications are updated regularly, and always download updates from official sources to avoid falling victim to exploits targeting this vulnerability.
-Scott Quimby, CISSP