A recent blog post from Cyber Kendra discusses a new zero-day vulnerability in the WebP image library that may have drastic cybersecurity implications. The bug was initially classified by Apple and Citizen lab as CVE-2023-4863. Upon first reporting it was believed to be tracked specifically to Google Chrome. Unfortunately, a reclassification of the bug as CVE-2023-5129 revealed that the vulnerability impacts any software utilizing the WebP codec through the libwebp library. Within this list includes popular browsers like Mozilla Firefox, Apple Safari, and Microsoft Edge.
Popular applications that Use Webp Code:
- Microsoft Teams
In addition, any Android user could be at risk due to the WebP image handling and software projects installed into every Android device. Former Project Zero manager, Ben Hawkes, clarifies the implications for Android users and beyond, “if this bug does affect android, then it could potentially be turned into a remote exploit for apps like signal and WhatsApp.”
What are the ramifications of such a vast security risk? For one, incorrectly distinguishing it as an issue exclusive to Chrome wasted valuable time. Users across the abundant libwebp software applications and platforms were exposed to potential attacks without knowing all of the facts. In the case of any cyber security risk, knowledge is power. Acting quickly and proactively can prevent a loss of data or an invasive security breach.
Thankfully, patches to resolve the security vulnerability have already been created. As long as organizations and developers move quickly to update older versions of the software the extent of damage can be mitigated.
Some vendors that have issued patches against the bug include:
- Google Chrome
- Microsoft Edge
- Tor Browser
All organizations should have cyber security plans in place for both applications and infrastructure. If your IT department or provider isn’t working with you on this matter, give OptfinITy a call at 703-7900-0400 or via email at email@example.com.