Insights | Integrity360

Advisory: CVE-2023-4863 – Critical WEBP Bug

Written by The Integrity360 Team | 15 September 2023 12:20:40 Z

Background On The Vulnerability:

Date Vulnerability was discovered by Citizen Lab: September 6th/7th

Date Known to the Public: Tuesday 12th September 2023

The heap buffer overflow (CVE-2023-4863) vulnerability in the WebP Codec is being actively exploited in the wild.

Vulnerability Information so far:

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

The security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution. Opening a malicious WebP image could lead to a heap buffer overflow in the content process.

Google Chrome and Mozilla Firefox, among other browsers, use WebP for its efficient image compression capabilities. A malicious exploitation of this flaw could potentially jeopardize the security of millions of internet users.

How Critical is this vulnerability?:

Very. If an attacker can exploit a heap buffer overflow, they might be able to take control of a system, steal data, or introduce malware.

If someone knows a program has a heap buffer overflow vulnerability, they might be able to send it specially crafted data that causes the program to behave in unexpected ways. For instance, they could potentially run malicious code or gain unauthorized access to a system.

A codec is like a translator that helps your computer understand and display WebP images (a format like JPEG or PNG). If this codec has a heap buffer overflow, an attacker might be able to craft a malicious WebP image that, when viewed, exploits this vulnerability to harm your computer or steal information.

Known Applications Affected So Far (with Patches available):

  • Google Chrome which has been updated to 116.0.5845.187 for Mac and Linux, and 116.0.5845.187/188 for Windows,
  • Microsoft Edge which has been updated to 116.0.1938.81 (116.1938.79 for iOS)
  • Mozilla Firefox which has been updated to 117.0.1
  • Opera which has been updated to 102.0.4880.46
  • Vivaldi which has been updated to 6.2.3105.47
  • Brave which has been updated to 116.0.5845.188
  • Thunderbird
  • 1Password for Mac update released as of 14/09/2023
  • Signal Desktop app
  • Honeyview (from Bandisoft)

To note: This vulnerability is not just for web browsers but for applications as well that uses the libwebp library. Here are some examples: Affinity, Gimp, Inkspace, LibreOffice, Telegram, ffmpeg and many other Android applications as well as cross-platform apps built with Flutter.

Recommendations:

  • All Chrome users are advised to update as soon as possible. Security updates are automatic, but it’s always best to check on your device to be sure that the fix has not only been downloaded but also activated.
  • Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2. Again, these are automatic, and we suggest that you restart the browser or to manually update the browser.
  • To customers who push application updates via SCCM or other patch management software, to push these updates to all users as soon as possible
  • Customers should be on the look out for security updates for the applications mentioned, if they are not yet available.