X
search

Google released a new CVE for libwebp vulnerability

Pictured: Hamid Ganji
By Hamid Ganji
October 03, 2023
Featured image for Google released a new CVE for libwebp vulnerability

According to Cyberkendra, Google has addressed the libwebp vulnerability by assigning a new CVE. The vulnerability was found in the WebP image library.

Tech companies are sometimes hit with critical vulnerabilities that might put the company and user’s data at risk. In this case, the libwebp library was a target. The libwebp library is used in many applications and programs to encode and decode images in WebP format.

Apple and Citizen Lab first spotted the WebP image library vulnerability as CVE-2023-4863, which is specific to Google Chrome. Now, Google has reclassified it as CVE-2023-5129 and correctly attributed it as a flaw in libwebp.

The libwebp vulnerability gets a new CVE

To be more specific, the open-source libwebp package, which offers encoding and decoding of images in WebP format, contains a flaw in its lossless compression component.

The way this vulnerability hits users is simple. The process starts with a malicious WebP image. Once the user opens the file, the attacker can execute arbitrary code and access the victim’s data.

According to former Project Zero manager Ben Hawkes, this bug can be turned into a remote exploit for apps like Signal and WhatsApp on the affected Android devices. He added, “The bad news is that Android is still likely affected. Similar to Apple’s ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported.”

The vulnerability was first found in Google Chrome and labeled as CVE-2023-4863. However, it can infect any software that uses the WebP codec through the libwebp library. Mozilla Firefox, Apple Safari, and Microsoft Edge are other web browsers that utilize libwebp.

Countless Linux, Android, Windows, and macOS applications rely on WebP image handling through libwebp. The danger is native browser apps on Android devices are a significant target for the bug because the codec is built into Android.

Google has fixed the vulnerability on its apps. Now, it’s time for any other platform or application that uses the libwebp library to release patches to its users in order to address the issue.

  翻译: