Countless applications affected: chaos caused by WebP gap

Countless applications display images in Google WebP format. A vulnerability in the graphics format therefore affects all applications that use the format. Initially, Google only attributed the vulnerability to its own web browser Chrome.

Advertisement

New gap = old gap?

However, Google has now corrected itself and submitted the new entry CVE-2023-5129 with a critical rating (CVSS score 10 out of 10) for the old security vulnerability (CVE-2023-4863 “high”).

However, this was declared invalid by Google after just six hours. The reason given is that the new entry duplicates the old entry. The old entry has now been supplemented to the effect that, in addition to Chrome, the gap also affects the entire libwebp library, which many applications use.

What an attack might look like is still unclear. In the context of web browsers, we often talk about prepared HTML websites. It sounds as if visiting a website with a WebP graphic manipulated with malicious code could initiate an attack. If an attack is successful, malicious code gets onto systems.

Affected applications

These include browsers such as Edge and Firefox, Linux distributions such as Debian and Ubuntu and applications such as LibreOffice, Slack and Signal Desktop. In addition, many applications that rely on the Electron framework are affected. A security researcher is currently compiling a list of vulnerable Electron apps on Github. Electron version 1.3.2 is said to be protected against this.

The list of vulnerable applications is long and not all security updates have been released. Users should keep an eye out for patches and install them quickly. Secure editions have already been published for Firefox, Thunderbird and Tails, among others.

On (CVE-2023-41064 “high”) on Apple systems by the controversial security company NSO Group. There are currently no further details about this.

(of the)

To home page

#Countless #applications #affected #chaos #caused #WebP #gap