CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 724
- Points
- 113
Google's understatement led to the failure to disclose vulnerabilities in thousands of apps.
Google has provided new details about a critical vulnerability that affects thousands of individual applications and software frameworks. The previous version of the flaw gave an erroneous impression that the threat concerns only the Chrome browser.
The vulnerability comes from the libwebp code library, created by Google in 2010 to display WebP images. The format made it possible to reduce the file size by 26% compared to PNG. Libwebp is integrated into almost every application, operating system, or other code library that displays WebP images, in particular, the Electron framework used in Chrome and many other desktop and mobile applications.
2 weeks ago, Google reported a WebP buffer overflow vulnerability in Chrome ( CVE-2023-4863 CVSS: 8.8). The error description listed Chrome as affected software, although any code using libwebp was vulnerable. Critics warned that a misunderstanding on Google's part could lead to a delay in fixing the vulnerability.
This week, Google revealed a new bug CVE-2023-5129 CVSS: 10, indicating that the flaw affects the libwebp library. In addition, the vulnerability risk level was raised from 8.8 to 10. Google's new disclosure provides much more details. If earlier the vulnerability was described as "buffer overflow in WebP in Google Chrome", now it is added that when using a specially created WebP file, libwebp can write data outside the buffer.
The incompleteness of Google's first CVE isn't just an academic mistake. More than two weeks later, a lot of the software remains unpatched. Regardless of whether the vulnerability is tracked as CVE-2023-4863 or CVE-2023-5129, the vulnerability in libwebp is dangerous. Users should make sure that the Electron versions used are v22.3.24, v24.8.3, or v25.8.1 compliant.
In addition to Google, Apple also faced a problem with WebP images, which also warned Apple 2 weeks ago that attackers were actively using a vulnerability in iOS to install Pegasus spyware. Attacks were carried out without user interaction (Zero-Click): it was enough to receive a call or message on the iPhone to get the device infected.
Apple pointed out that the vulnerability, tracked as CVE-2023-41064 (CVSS: 7.8) and already patched at the moment , comes from a buffer overflow bug in ImageIO, a framework that allows applications to read and write most image formats, including WebP.
Security researchers suggested that both vulnerabilities may have a common source, and criticized Apple, Google and Citizen Lab for not coordinating their actions and not pointing out the common source of the vulnerability, preferring to use different CVE designations. Researchers from security firm Rezillion have confirmed that both vulnerabilities do indeed originate from the same bug in the libwebp code library, which is used for WebP image processing.
Google has provided new details about a critical vulnerability that affects thousands of individual applications and software frameworks. The previous version of the flaw gave an erroneous impression that the threat concerns only the Chrome browser.
The vulnerability comes from the libwebp code library, created by Google in 2010 to display WebP images. The format made it possible to reduce the file size by 26% compared to PNG. Libwebp is integrated into almost every application, operating system, or other code library that displays WebP images, in particular, the Electron framework used in Chrome and many other desktop and mobile applications.
2 weeks ago, Google reported a WebP buffer overflow vulnerability in Chrome ( CVE-2023-4863 CVSS: 8.8). The error description listed Chrome as affected software, although any code using libwebp was vulnerable. Critics warned that a misunderstanding on Google's part could lead to a delay in fixing the vulnerability.
This week, Google revealed a new bug CVE-2023-5129 CVSS: 10, indicating that the flaw affects the libwebp library. In addition, the vulnerability risk level was raised from 8.8 to 10. Google's new disclosure provides much more details. If earlier the vulnerability was described as "buffer overflow in WebP in Google Chrome", now it is added that when using a specially created WebP file, libwebp can write data outside the buffer.
The incompleteness of Google's first CVE isn't just an academic mistake. More than two weeks later, a lot of the software remains unpatched. Regardless of whether the vulnerability is tracked as CVE-2023-4863 or CVE-2023-5129, the vulnerability in libwebp is dangerous. Users should make sure that the Electron versions used are v22.3.24, v24.8.3, or v25.8.1 compliant.
In addition to Google, Apple also faced a problem with WebP images, which also warned Apple 2 weeks ago that attackers were actively using a vulnerability in iOS to install Pegasus spyware. Attacks were carried out without user interaction (Zero-Click): it was enough to receive a call or message on the iPhone to get the device infected.
Apple pointed out that the vulnerability, tracked as CVE-2023-41064 (CVSS: 7.8) and already patched at the moment , comes from a buffer overflow bug in ImageIO, a framework that allows applications to read and write most image formats, including WebP.
Security researchers suggested that both vulnerabilities may have a common source, and criticized Apple, Google and Citizen Lab for not coordinating their actions and not pointing out the common source of the vulnerability, preferring to use different CVE designations. Researchers from security firm Rezillion have confirmed that both vulnerabilities do indeed originate from the same bug in the libwebp code library, which is used for WebP image processing.
