A critical security vulnerability has been discovered in the WebP image format that could allow hackers to execute malicious code on millions of devices. The flaw, which is tracked as CVE-2023-4863, affects a wide range of popular browsers and apps that use the libwebp library to process WebP images.
WebP is a modern image format that offers superior compression and quality than other formats like JPEG and PNG. It is widely used by websites and apps to reduce bandwidth and improve loading speed. However, researchers from Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto’s Munk School have found a heap buffer overflow issue in the libwebp library that could lead to system crashes or arbitrary code execution when processing a maliciously crafted WebP image12.
A heap buffer overflow occurs when a program writes more data than it can fit into a memory buffer, causing it to overwrite adjacent memory locations. This can result in corrupted data, unexpected behavior, or even the execution of attacker-controlled code. An attacker could exploit this vulnerability by sending a specially crafted WebP image to a victim via email, instant messaging, or social media, or by hosting it on a website or app that uses the libwebp library.
The vulnerability affects several Chromium-based browsers, such as Chrome, Firefox, Brave, and Edge, as well as other applications that use the libwebp library, such as Telegram, Thunderbird, and Gimp234. Google has issued an out-of-band security patch for Chrome on September 13th, 2023, and advised users to update their browsers as soon as possible4. Other affected browsers and apps are expected to release their updates soon.
Google has also stated that it is aware of an exploit for CVE-2023-4863 existing in the wild4, but has not provided any details about the nature or origin of the attack. However, there is a possibility that the flaw could be related to another security issue that was reported by Apple and the Citizen Lab earlier this month. That issue, which is tracked as CVE-2023-41064, is a buffer overflow vulnerability in the Image I/O component that could also result in arbitrary code execution when processing a maliciously crafted image1.
According to the Citizen Lab, CVE-2023-41064 was used in conjunction with another flaw in the Wallet app (CVE-2023-41061) as part of a zero-click iMessage exploit chain named BLASTPASS to deploy Pegasus spyware on fully-patched iPhones running iOS 16.61. Pegasus is a sophisticated surveillance tool that can access messages, calls, contacts, photos, videos, location data, microphone, camera, and more from infected devices. It is developed by NSO Group, an Israeli company that sells its products to governments and law enforcement agencies around the world.
Apple has also issued patches for CVE-2023-41064 for iOS, iPadOS, macOS, and watchOS on September 13th and 14th1. However, it is not clear if CVE-2023-4863 was also used in the BLASTPASS exploit chain or by other threat actors. Both vulnerabilities involve image processing and could be exploited by sending malicious images to unsuspecting users. Therefore, users are advised to be cautious about opening any images from unknown sources and to update their devices and applications as soon as possible.
The discovery of these vulnerabilities highlights the importance of keeping software up to date and following best security practices. Users should also use antivirus software and firewall protection to prevent malware infections and unauthorized access. Furthermore, users should be aware of the potential risks of using unencrypted communication platforms like iMessage or Telegram that could expose their data to hackers or third parties. Users should opt for end-to-end encrypted services like Signal or WhatsApp that offer more privacy and security.