Google has provided new details about a critical vulnerability that affects thousands of separate applications and software frameworks. This vulnerability was initially thought to only affect the Chrome browser, but Google has now revealed that it stems from the Libwebp code created by the company in 2010 to display WebP images.
The Libwebp code allowed files to be reduced in size by 26% compared to PNG, making it an attractive option for almost every application, operating system, or code library that displays WebP images. This includes the Electron framework used in Chrome and many other desktop and mobile devices.
Two weeks ago, Google reported the vulnerability of overcrowding the buffer to WebP in Chrome (CVE-2023-4863 cvss: 8.8). However, it was later discovered that any code using Libwebp was vulnerable, leading to concerns that Google’s initial description could cause a delay in addressing the issue.
This week, Google released new information about the vulnerability, identifying it as CVE-2023-5129 with a CVSS score of 10. The level of danger associated with this vulnerability has also been increased from 8.8 to 10. The updated details reveal that the vulnerability affects the Libwebp library and that data can be accessed outside the buffer when using a specially created Webp Libwebp file.
It is crucial to address this vulnerability promptly as many potential attack vectors remain unpatched. Whether referred to as CVE-2023-4863 or CVE-2023-5129, the vulnerability pertaining to Libwebp poses a significant threat. Users are advised to ensure their Electron versions correspond to V22.3.24, V24.8.3, or V25.8.1.
In addition to Google, Apple has also encountered an issue with WebP images. Two weeks ago, Apple warned of active exploitation of an iOS vulnerability to install Pegasus spyware without user interaction (“Zero-Click”). This exploit involved receiving a call or message on an iPhone to infect the device.