A high-severity heap buffer overflow vulnerability in libwebp, fixed recently as a zero-day flaw on Google Chrome, has a much broader impact than initially thought.
Libwebp is an open-source library that programs incorporate to gain the ability to encode and decode images in the WebP format, a modern lossless/lossy compression format used extensively in web applications published by Google. Hundreds of apps use libwebp to support the WebP image format, so a vulnerability in it has cascading potential.
After a couple of days of confusion in the security community following the initial disclosure of the flaw, tracked as CVE-2023-4863, analysts have come to realize the impact of the problem is vast, going beyond web browsers. As it has been reported that hackers are actively exploiting CVE-2023-4863 in attacks, the risk for millions of people using still-impacted software is high.
Source of confusion
The first public disclosure of CVE-2023-4863 came on September 11, 2023, on a Google Chrome release announcement that warned about the flaw being actively exploited. The bulletin mentions that Apple Security Engineering and Architecture (SEAR) and The Citizen Lab discovered and reported the flaw.
Soon, researchers noticed that the underlying issue in the libwebp library appears to be very similar to CVE-2023-41064, also discovered by Citizen Lab, which was publicly reported and fixed by Apple on September 7, 2023. That flaw was also a zero-day that triggers arbitrary code execution when a maliciously crafted image is processed on iOS devices, leading to NSO Pegasus infections.
In reality though, the flaw is neither on Google Chrome nor on Apple iOS, but on libwebp, and there should definitely not be two separate CVEs about what is very likely the same security problem. The main issue arising from this mishandling is that few realized the actual attack surface caused by the flaw on libwebp, so many of the impacted software vendors delayed their response.
Scope of impact
A long list of open-source packages uses libwebp as a dependency, including chromium, ffmpeg, gimp, libreoffice, webkit2gtk, electron, and godot. Unfortunately, at the time of writing, 11 days after the security problem on libwebp was confirmed, the following popular software projects still use a vulnerable version of the library:
- Microsoft Teams
Also, many other software have released security updates to address the critical libwebp vulnerability, including Mozilla Firefox, Opera, Ubuntu Linux, Signal Desktop, and Honeyview. Users should upgrade to the latest versions of these apps as soon as possible to mitigate the risk.
A proof of concept on exploiting the vulnerability (both CVEs) was published yesterday on GitHub.
Those interested in diving deeper into the technical details of the security problem on libwebp may check this excellent write-up by security analyst Ben Hawkes.